Your cart (0 item)

No products in the basket.

Visa American Express Mastercard
Home / Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

This Data Processing Agreement (Agreement) forms part of the contract between CCL Industries (UK) Ltd trading as RFID Hotel (Processor) and the Client (Controller) and governs the processing of Personal Data in accordance with the UK GDPR and Data Protection Act 2018.

1. Definitions

Applicable Data Protection Law means UK GDPR and the Data Protection Act 2018.

Personal Data, Processing, Controller, Processor, and Data Subject have the meanings given under Applicable Data Protection Law.

2. Subject matter and duration

This Agreement applies to the Processing of Personal Data by the Processor on behalf of the Controller for the duration of the services agreement between the parties.

3. Nature and purpose of processing

The Processor shall process Personal Data solely for the purpose of:

* Providing event credentialing, access control, accreditation, and related services
* Managing attendee, staff, and contractor data
* Delivering analytics and reporting services

4. Types of personal data

The types of Personal Data may include:

* Name and contact details (email, phone)
* Job title and organisation
* Identification data (badge ID, access permissions)
* Event participation data
* Photographs where applicable

5. Categories of data subjects

* Event attendees
* Staff and contractors
* Client personnel
* Suppliers and partners

6. Controller obligations

The Controller shall:

* Ensure it has a lawful basis for Processing
* Provide all necessary privacy notices
* Ensure instructions comply with Applicable Data Protection Law

7. Processor obligations

The Processor shall:

7.1 Processing Instructions
Process Personal Data only on documented instructions from the Controller unless required by law.

7.2 Confidentiality
Ensure authorised personnel are subject to confidentiality obligations.

7.3 Security Measures
Implement appropriate technical and organisational measures, including:

* Encryption in transit and at rest
* Access controls and authentication
* Security testing and monitoring
* Incident response procedures

7.4 Sub-processors

* Not appoint sub-processors without authorisation
* Maintain a list of sub-processors
* Ensure equivalent data protection obligations
* Remain liable for sub-processor performance

7.5 Data Subject Rights
Assist the Controller with requests relating to access, rectification, erasure, restriction, portability and objection.

7.6 Data Breach Notification
Notify the Controller without undue delay and within 48 hours of becoming aware of a Personal Data breach, including relevant details and mitigation steps.

7.7 Assistance and Compliance
Assist with data protection impact assessments and regulatory compliance where required.

7.8 Record Keeping
Maintain records of Processing activities as required by law.

7.9 Audit Rights
Provide information necessary to demonstrate compliance and allow reasonable audits.

8. International transfers

Personal Data shall not be transferred outside the UK unless appropriate safeguards are in place, such as adequacy decisions or UK IDTA/SCCs.

9. Data retention and deletion

Upon termination, the Processor shall delete or return Personal Data unless retention is required by law.

10. Liability

Each party shall be liable in accordance with the main services agreement.

11. Governing Law

This Agreement is governed by the laws of England and Wales.

12. Contact

For data protection matters:
Email: [email protected]

SCHEDULE 1 – TECHNICAL AND ORGANISATIONAL MEASURES

* Role-based access controls
* Encryption (TLS for data in transit)
* Secure hosting environments
* Backups and disaster recovery
* Staff training
* Logging and monitoring

SCHEDULE 2 – APPROVED SUB-PROCESSORS

* Microsoft Azure – Cloud hosting – UK/EU
* Adobe Commerce – Platform services – EU/Global
* HubSpot – CRM – USA (with safeguards)
* Sage – Finance systems – UK/EU
* Microsoft 365 – Collaboration tools – UK/EU
* Dotdigital – Email platform – UK/EU
* Google Cloud Platform – Hosting/analytics – EU/Global
* Dropbox – File storage – USA/EU (with safeguards)
* Netvector – Web support – UK

The Processor may update this list from time to time in line with contractual obligations. Last updated May 13th 2026

  • What is a Data Processing Agreement (DPA)?

    A Data Processing Agreement is a contract that sets out how a service provider processes personal data on behalf of a client, including security, compliance and legal responsibilities under UK GDPR.

  • Does RFID Hotel act as a data processor or controller?

    RFID Hotel acts as a data processor when handling personal data on behalf of clients to deliver services.
    RFID Hotel acts as a data controller when processing data for its own business purposes, such as internal operations, finance, or marketing.

  • What personal data does RFID Hotel process?

    RFID Hotel may process personal data such as:

    • Names and contact details
    • Job titles and organisations
    • Event participation information
    • Access credentials and permissions
    • Photographs where applicable
    • The exact data depends on the services provided.

  • Why does RFID Hotel process personal data?

    Where necessary to deliver services, RFID Hotel may use approved sub-processors (e.g. cloud providers, CRM systems). All sub-processors are subject to appropriate contractual data protection obligations.

Join Our Newsletter

Keep in touch to make sure that you are up-to-date with the latest news, updates, and promotions from us.