Data Processing Agreement (DPA)
This Data Processing Agreement (Agreement) forms part of the contract between CCL Industries (UK) Ltd trading as ID&C (Processor) and the Client (Controller) and governs the processing of Personal Data in accordance with the UK GDPR and Data Protection Act 2018.
1. Definitions
Applicable Data Protection Law means UK GDPR and the Data Protection Act 2018.
Personal Data, Processing, Controller, Processor, and Data Subject have the meanings given under Applicable Data Protection Law.
2. Subject matter and duration
This Agreement applies to the Processing of Personal Data by the Processor on behalf of the Controller for the duration of the services agreement between the parties.
3. Nature and purpose of processing
The Processor shall process Personal Data solely for the purpose of:
* Providing event credentialing, access control, accreditation, and related services
* Managing attendee, staff, and contractor data
* Delivering analytics and reporting services
4. Types of personal data
The types of Personal Data may include:
* Name and contact details (email, phone)
* Job title and organisation
* Identification data (badge ID, access permissions)
* Event participation data
* Photographs where applicable
5. Categories of data subjects
* Event attendees
* Staff and contractors
* Client personnel
* Suppliers and partners
6. Controller obligations
The Controller shall:
* Ensure it has a lawful basis for Processing
* Provide all necessary privacy notices
* Ensure instructions comply with Applicable Data Protection Law
7. Processor obligations
The Processor shall:
7.1 Processing Instructions
Process Personal Data only on documented instructions from the Controller unless required by law.
7.2 Confidentiality
Ensure authorised personnel are subject to confidentiality obligations.
7.3 Security Measures
Implement appropriate technical and organisational measures, including:
* Encryption in transit and at rest
* Access controls and authentication
* Security testing and monitoring
* Incident response procedures
7.4 Sub-processors
* Not appoint sub-processors without authorisation
* Maintain a list of sub-processors
* Ensure equivalent data protection obligations
* Remain liable for sub-processor performance
7.5 Data Subject Rights
Assist the Controller with requests relating to access, rectification, erasure, restriction, portability and objection.
7.6 Data Breach Notification
Notify the Controller without undue delay and within 48 hours of becoming aware of a Personal Data breach, including relevant details and mitigation steps.
7.7 Assistance and Compliance
Assist with data protection impact assessments and regulatory compliance where required.
7.8 Record Keeping
Maintain records of Processing activities as required by law.
7.9 Audit Rights
Provide information necessary to demonstrate compliance and allow reasonable audits.
8. International transfers
Personal Data shall not be transferred outside the UK unless appropriate safeguards are in place, such as adequacy decisions or UK IDTA/SCCs.
9. Data retention and deletion
Upon termination, the Processor shall delete or return Personal Data unless retention is required by law.
10. Liability
Each party shall be liable in accordance with the main services agreement.
11. Governing Law
This Agreement is governed by the laws of England and Wales.
12. Contact
For data protection matters:
Email: dataprotection@idcband.com
SCHEDULE 1 – TECHNICAL AND ORGANISATIONAL MEASURES
* Role-based access controls
* Encryption (TLS for data in transit)
* Secure hosting environments
* Backups and disaster recovery
* Staff training
* Logging and monitoring
SCHEDULE 2 – APPROVED SUB-PROCESSORS
* Microsoft Azure – Cloud hosting – UK/EU
* Adobe Commerce – Platform services – EU/Global
* HubSpot – CRM – USA (with safeguards)
* Sage – Finance systems – UK/EU
* Microsoft 365 – Collaboration tools – UK/EU
* Dotdigital – Email platform – UK/EU
* Google Cloud Platform – Hosting/analytics – EU/Global
* Dropbox – File storage – USA/EU (with safeguards)
* Netvector – Web support – UK
The Processor may update this list from time to time in line with contractual obligations. Last updated April 15th 2026
FAQS
What is a Data Processing Agreement (DPA)?
A Data Processing Agreement is a contract that sets out how a service provider processes personal data on behalf of a client, including security, compliance and legal responsibilities under UK GDPR.
Does ID&C act as a data processor or controller?
ID&C acts as a data processor when handling personal data on behalf of clients to deliver services.
ID&C acts as a data controller when processing data for its own business purposes, such as internal operations, finance, or marketing.What personal data does ID&C process?
ID&C may process personal data such as:
- Names and contact details
- Job titles and organisations
- Event participation information
- Access credentials and permissions
- Photographs where applicable
The exact data depends on the services provided.
Why does ID&C process personal data?
Yes, where necessary to deliver services, ID&C may use approved sub-processors (e.g. cloud providers, CRM systems). All sub-processors are subject to appropriate contractual data protection obligations.
Does ID&C transfer personal data outside the UK?
In some cases, services may involve international data transfers (for example, where systems or support teams are located outside the UK). Where this occurs, appropriate safeguards such as UK IDTA or equivalent legal mechanisms are used.
How does ID&C protect personal data?
ID&C applies a range of technical and organisational measures, including:
- Access controls
- Encryption in transit
- Secure hosting environments
- Monitoring and logging
- Staff training and confidentiality obligations
Can clients audit ID&C’s data processing?
Yes, ID&C will provide reasonable information to demonstrate compliance and may support audit or review requests, subject to appropriate safeguards.
How can I contact ID&C about data protection?
For any data protection queries, please contact: dataprotection@idcband.com
Login and Registration Form