top of page

Data Processing Agreement 

DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement (“Agreement”) forms part of the Rental and Service Agreement between Orchard Business Systems (“Processor”, “we”, “us”) and the Customer (“Controller”, “you”).

This Agreement applies where we process Personal Data on your behalf in connection with services supplied by us.

1. DEFINITIONS

For the purposes of this Agreement:

“Applicable Data Protection Law” means all legislation relating to data protection and privacy applicable within the United Kingdom including:

  • UK GDPR,

  • the Data Protection Act 2018,

  • and any amendment or replacement legislation.

“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject” and “Personal Data Breach” shall have the meanings given under Applicable Data Protection Law.

2. SUBJECT MATTER OF PROCESSING

2.1
The Processor may process Personal Data in connection with:

  • managed print services,

  • multifunctional print devices,

  • remote monitoring systems,

  • print management software,

  • secure print release systems,

  • scan workflows,

  • meter collection,

  • maintenance,

  • support services,

  • and associated operational services.

2.2
The categories of Personal Data processed may include:

  • names,

  • usernames,

  • email addresses,

  • print and scan activity,

  • authentication data,

  • device identifiers,

  • IP addresses,

  • scan destinations,

  • and operational usage information.

2.3
The categories of Data Subjects may include:

  • employees,

  • contractors,

  • temporary workers,

  • students,

  • patients,

  • residents,

  • customers,

  • or other authorised users of the equipment or services.

3. ROLE OF THE PARTIES

3.1
The Customer acts as the Data Controller.

3.2
Orchard Business Systems acts as the Data Processor only in relation to Personal Data processed on behalf of the Customer.

3.3
The Customer remains responsible for:

  • determining the lawful basis for processing,

  • ensuring fair and lawful use of the services,

  • managing user access permissions,

  • maintaining internal policies,

  • and complying with Applicable Data Protection Law.

4. PROCESSOR OBLIGATIONS

4.1
We shall:

  • process Personal Data only on documented instructions from the Customer,

  • ensure personnel authorised to process Personal Data are subject to confidentiality obligations,

  • implement reasonable technical and organisational security measures,

  • assist the Customer where reasonably required in responding to Data Subject requests,

  • and notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.

4.2
We may use secure remote access, automated diagnostics, monitoring systems and software tools for:

  • maintenance,

  • firmware updates,

  • diagnostics,

  • consumable management,

  • security monitoring,

  • and support purposes.

5. SECURITY

5.1
We shall implement reasonable security measures appropriate to the nature of the services provided, including where appropriate:

  • password protection,

  • role-based access controls,

  • encrypted communications,

  • restricted administrative access,

  • and secure remote support methods.

5.2
The Customer acknowledges responsibility for:

  • wider network security,

  • firewall management,

  • antivirus protection,

  • backup procedures,

  • user access management,

  • and wider IT infrastructure outside services directly supplied by us.

6. SUB-PROCESSORS

6.1
The Customer authorises us to use third-party suppliers and service providers (“Sub-Processors”) where reasonably necessary for delivery of the services.

6.2
Sub-Processors may include:

  • print management software providers,

  • remote monitoring providers,

  • cloud hosting providers,

  • maintenance platforms,

  • device manufacturers,

  • and support service providers.

6.3
We shall take reasonable steps to ensure Sub-Processors are subject to appropriate confidentiality and data protection obligations.

7. INTERNATIONAL TRANSFERS

7.1
We shall not knowingly transfer Personal Data outside the United Kingdom unless appropriate safeguards are in place in accordance with Applicable Data Protection Law.

8. RETENTION & DELETION

8.1
Personal Data shall only be retained for as long as reasonably necessary for:

  • provision of services,

  • support,

  • operational management,

  • legal obligations,

  • or legitimate business purposes.

8.2
Upon termination of services, we may retain limited operational records where required:

  • for legal obligations,

  • dispute resolution,

  • accounting purposes,

  • or legitimate business interests.

8.3
The Customer acknowledges that multifunctional print devices may contain residual data within internal storage systems. Unless otherwise agreed in writing, the Customer remains responsible for ensuring any required data backup, retention or removal prior to equipment return or disposal.

9. LIABILITY

9.1
Nothing within this Agreement shall increase either party’s liability beyond the limitations contained within the main Rental and Service Agreement.

10. TERM

10.1
This Agreement shall remain in force for the duration of the Rental and Service Agreement and any period during which Personal Data is processed on behalf of the Customer.

11. GOVERNING LAW

11.1
This Agreement shall be governed by and construed in accordance with the laws of England and Wales.

bottom of page