Privacy Policy and Privacy Notice

October 2023

PART 1 PRIVACY NOTICE
This privacy policy explains how our organisation uses the personal data we collect from you when

you engage with our services. For the purpose of this document, Digital Resilience UK is referred to as DR UK

1.0 Definitions Data Controller:

Unless otherwise stated in contracted work via specific clauses, DR UK is the data controller. We determine the purposes and means of processing client personal data. In the case of videography, web and VR content, we decide how personal data is collected and processed, including the use of third-party data processors.

Data Processor:

A data processor is an entity that processes personal data on behalf of the data controller. DR UK uses third party subcontractors to handle specific aspects of data processing, such as editing, storage, VR headset management and content distribution. All data processors are obligated to implement appropriate security measures and policies to comply with our data controller privacy and policy positions. Using industry-standard approaches and publishing policy positions allows for data protection alignment within the creative industry specialism.

1.1 What data do we collect?

  • -  We collect images, video, audio data for the purpose of creating creative videography, podcast and VR application content

  • -  We collect podcast analytics via Buzzsprout hosting platform

  • -  We collect website traffic data from SquareSpace and Google Analytics

  • -  We use third party platforms for mobile device management (MDM) solutions to provide

    analytical data on the usage of VR headsets enrolled in our managed VR headset service. This data includes headset location, uptime, network IP address and app usage.

    1.2 How do we collect your data?

  • -  Via our camera operatives and audio engineers (live production recording)

  • -  Using third party web tools and MDM listed in 1.1

  • -  Using our website

  • -  Via traditional office productivity (email and collaborative document authorship)

  • -  Via VR headsets

    1.3 How do we use your data?

    Data is used for creating content for clients (video, animation, audio and VR outputs) and for analysing the distribution and engagement of content. The creative output of each project is

transferred to the client as defined in each individual contract - this is usually via secure transfer of still images, mp4 video or a packaged app installer files (.apk +.obb).

We seek permission from clients to publish parts of certain projects within our showreel for DR UK marketing and business development. We collect photography and videography release agreements from each data subject involved in recording work in order that they give personal permission for onward use of their image

We do not pass any data on to third parties or partner organisations without direct permission of a data subject.

1.4 How do we store your data?

We store data on our cloud platform (MS365) with necessary cloud data protection security protocols enabled. Our policy is to keep data for 3 years then automatically delete unless specifically requested that we retain it by clients.

We use physical local server and backup capabilities (SSD) for large size creative content (video and photographic). All other data is stored on cloud platforms.

Our subcontracted data processors (platforms) have publicly available privacy notices and protocols:

  • -  ManageXR

  • -  Vimeo

  • -  Microsoft

  • -  GitHub

    1.5 What are your data protection rights?

    Clients and individuals can request data at any point via subject access request. Individuals can revert permission to use any image, video or representation. Our clients retain the rights to images and data unless a photographic/videography release form has been signed or digitally agreed by the individual data subject.

    1.6 Corporate Clauses
    1.6.1 Data controller and Processor Status - Per Contract
    - Corporate clients retain Data Controller rights of any of their corporate personnel or associate network (Health Care Professionals).

    For GDPR purposes, the parties mutually acknowledge and agree that DR UK functions as a "Processor," while the Client serves as a "Controller." This recognition delineates our respective roles and relationships under the General Data Protection Regulation.

    1.6.2 Contractual Basis

    DR UK is committed to adhering to its obligations under applicable Data Protection Laws in the processing of Personal Information. This processing pertains to providing and offering DR UK services to the Client, and such processing will continue until the termination or expiration of the Customer's contractual agreement.

1.6.3 Roles of the Parties

Regarding the roles of the parties, DR UK and the Client acknowledge that the determination of each party's status is a factual matter governed by applicable Data Protection Laws. Without limiting the foregoing, DR UK and the Client agree that, DR UK may collect, retain, access, maintain, use, disclose, process, and transfer personal data of its Client and use within the scope of this policy and the individual contracts of work.

1.6.4 Subcontracting Data Processing

This processing extends to DR UK subcontractors but solely and explicitly for the purpose of performing the stated services and for no other commercial purpose. DR UK are accountable for ensuring that their processing of Personal Information complies with all relevant Data Protection Laws and GDPR.

1.6.5 Medical sector considerations:

Any clients providing HCP contact details or film footage of patients discussing living with their medical condition will explicitly retain data controller rights. DR UK will act as a data processor in these circumstances

1.7 Disclosure
DR UK would like to make sure you are fully aware of all of your data protection rights:

  • -  The right to access – You have the right to request DR UK for copies of your personal data.

  • -  The right to rectification – You have the right to request that DR UK correct any information

    you believe is inaccurate. You also have the right to request DR UK to complete the

    information you believe is incomplete.

  • -  The right to erasure – You have the right to request that DR UK erase your personal data,

    under certain conditions.

  • -  The right to restrict processing – You have the right to request that DR UK restrict the

    processing of your personal data, under certain conditions.

  • -  The right to object to processing – You have the right to object to DR UK’s processing of your

    personal data, under certain conditions.

  • -  The right to data portability – You have the right to request that DR UK transfer the data that

    we have collected to another organisation, or directly to you, under certain conditions.

    If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email:
    privacy@druk.org.uk

    Changes to our privacy policy

    DR UK will update you via email if there are any changes to the privacy policy relating to your data.

    How to contact us

    privacy@druk.org.uk
    How to contact the appropriate authorities: Information Commissioner's Office: https://ico.org.uk

PART 2: DATA PROTECTION EXHIBIT *This exhibit can be used as contract appendix

This Data Protection Exhibit shall be read in conjunction with any written terms entered into with DR UK for the provision of DR UK services that reference this Exhibit (“Agreement”). Unless defined herein, capitalised terms used in this Data Protection Exhibit will have the meaning given to them in the Agreement.

1. DR UK and Customer each warrant that they will each duly observe all their obligations under the Data Protection Legislation which arise in connection with the performance of their respective obligations under the Agreement, and that they shall not, in respect of personal data to be processed under or in connection with the Agreement, do any act or make any omission which puts the other party in breach of its obligations under the Data Protection Legislation.

2. DR UK and Customer recognise that: (i) where DR UK is processing any Customer Data that is personal data (“Customer Personal Data”) on behalf of Customer under or in connection with the Agreement, Customer is a controller and DR UK is a processor; and (ii) DR UK and Customer are controllers independently of each other in respect of any other processing of Customer Personal Data or other personal data under or in connection with the Agreement. The types of Customer Personal Data contained within Customer Data and the categories of data subjects to which it relates are broad and will include any individual who sends or receives communications made in connection with the use of the Services. Where DR UK processes any Customer Personal Data on Customer’s behalf as a processor under or in connection with the Agreement,

DR UK shall:
a) only process Customer Personal Data as is necessary to provide the Services and fulfil its obligations under the Agreement (which, for the avoidance of doubt, includes DR UK providing Customer with access to and use of the Services) and/or as otherwise specifically provided in this Agreement; DR UK;

b) implement appropriate technical and organisational measures against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, any Customer Personal Data including as appropriate pseudonymisation and encryption of Customer Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident and/or a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

c) notify Customer without undue delay after having become aware of any actual or suspected personal data breach of Customer Personal Data;

d) only make a transfer to which Chapter V of the GDPR applies of Customer Personal Data from the European Economic Area (“EEA”) and/or UK to outside the EEA and/or UK in compliance with the terms of paragraph 3 of this Data Protection Exhibit;

e) ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality on appropriate terms or are under an appropriate statutory obligation of confidentiality;

f) not appoint a sub-processor without Customer's authorisation (and Customer authorises DR UK appointing sub-processors in accordance with paragraph 5 of this Schedule) and in the event that Customer does provide such authorisation, DR UK will ensure that such sub-processor is bound by terms similar to those of this Data Protection Exhibit and DR UK shall be responsible for any breach by such sub-processor of any of the obligations under this Data Protection Exhibit;

g) assist Customer, with appropriate technical and organisational measures, in complying with Customer's obligations under Chapter III of the GDPR and assist Customer in ensuring the security of processing;

h) make available to Customer all information necessary to demonstrate compliance with the Data Protection Requirements, including:
(i) informing Customer if, in DR UK's opinion, processing Customer Personal Data on behalf of Customer for the purposes of the Agreement infringes the Data Protection Requirements; and

(ii) allowing for and contributing to audits conducted by Customer or its representatives on reasonable notice and only as is reasonably necessary to demonstrate DR UK's compliance with this Data Protection Exhibit (such audits to be limited to once per year); and i) on termination of the Agreement, promptly delete or return to Customer (at Customer's discretion) all Customer Personal Data processed only on behalf of Customer save to the extent that DR UK is legally required to retain any Customer Personal Data.

3. In respect of any transfer to which Chapter V of the GDPR applies of Customer Personal Data or other personal data from inside the EEA and/or UK to a location outside the EEA and/or UK on Customer’s behalf or in connection with this Agreement, DR UK shall (and, where applicable, shall procure that its data processors shall) ensure that the transfer complies with Chapter V of the GDPR and shall notify Customer (upon request) of such safeguards or exemptions which apply to the transfer. Customer shall provide all reasonable assistance to DR UK in DR UK complying with this paragraph 3, including: a) Where a transfer of Customer Personal Data or other personal data pursuant to this paragraph 3 is made by Customer as controller to DR UK as processor, and none of the exemptions or other safeguards of Chapter V of the GDPR are provided for in respect of the transfer, the parties hereby enter into a contract on the basis of Module 1 of the clauses required by the European Commission in connection with such transfers in its decision dated 4 June 2021 (the “Decision”) and as set out in such Decision. b) Where a transfer of Customer Personal Data pursuant to this paragraph 3 is to be made by DR UK as a processor to a sub-processor, Customer provides authorisation for DR UK to enter into a contract on the basis of Module 3 of the clauses required by the European Commission in the Decision in connection with such transfers with the sub-processor.

4. Customer shall ensure that: (i) it is entitled to transfer Customer Personal Data or other personal data it transfers to DR UK so that DR UK and its subcontractors may lawfully use, process and transfer Customer Personal Data or other personal data in accordance with the Agreement.

5. Customer provides authorisation for the Approved Subcontractors (as defined in the Agreement) at the time of the Effective Date to process Customer Personal Data as sub-processors. Customer agrees that DR UK may add or replace further sub-processors from time to time provided that DR UK shall notify Customer in writing (including email) in advance of any such change and, unless Customer sends written notification to DR UK within seven (7) days of DR UK's notification, setting out its objection to any new sub-processor, Customer will be deemed to have consented to such change.

6. In the event of any conflict between the provisions of this Data Protection Exhibit and the provisions of the Agreement, the provisions of this Data Protection Exhibit shall prevail.