We are:
Lighting Reality Limited, a company incorporated under the laws of England & Wales with its registered office at Campion House, Kidderminster, Worcestershire, England, DY10 1JL, registered with the commercial register with number 03120287 (the Processor).
Lighting Reality Limited, a company incorporated under the laws of England & Wales with its registered office at Campion House, Kidderminster, Worcestershire, England, DY10 1JL, registered with the commercial register with number 03120287 (the Processor).
You are:
Any Customer who purchases a Software Subscription, requests a quotation for a Software Subscription or purchases other products/services (the Controller).
The Controller and the Processor may be referred to collectively as the “Parties”.
Whereas:
(A) the Processor provides Services to the Controller. In performing such Services, the Processor will conduct Processing on behalf of the Controller.
(B) the Parties agree that the Controller qualifies as a “controller” and that the Processor qualifies as a “processor” under the Data Protection Legislation;
(C) the Personal Data is made available by the Controller to the Processor for Processing on behalf of the Controller; and
(D) taking into account article 28 of the UK-GDPR, the Controller and the Processor wish to set detailed arrangements in this Agreement regarding the Processing by the Processor on behalf of the Controller;
Now therefore, in consideration of the foregoing, the Parties agree as follows
1. Definitions
“Agreement” – this Processor Agreement;
“Data Breach” – a breach of security, within the meaning of article 4(12) of the UK-GDPR leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed;
“Data Protection Authority” – the Information Commissioner’s Office;
“Data Protection Legislation” – together the UK-GDPR, DPA, the GDPR, and the DPF, as applicable, along with any and all other relevant legislation not herein mentioned but as may become applicable from time to time;
“Data Subject” – the person to whom the Personal Data relates, as further indicated in the Annex;
“DPA” – the Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as both may be amended from time to time or replaced;
“DPF” – the EU-US Data Protection Framework, as entered into force on 10 July 2023, and as may be amended from time to time or replaced;
“EEA” – the countries within the European Economic Area;
“GDPR” – the EU General Data Protection Regulation, as entered into force on 25 May 2018, and as may be amended from time to time or replaced;
“Personal Data” the personal data within the meaning of the Data Protection Legislation to which the Processor has access for Processing on behalf of Controller in accordance with this Agreement;
“Processing” – any operation or any set of operations concerning Personal Data, including in any case the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission , dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;
“Services” – a software subscription to be provided by the Processor to the Controller, including, amongst others, LR Pro, LR Studio, integrated and optional modules and online, email and telephone support for the use of the software;
“Sub-processor” – a processor engaged by the Processor for Processing; and
“UK-GDPR” – the United Kingdom General Data Protection Regulation, as entered into force on 01 January 2021, and as may be amended from time to time.
2. Purpose and further information
2.1 In connection with the Services, the Processor will conduct Processing on behalf of the Controller in accordance with the provisions of this Agreement.
2.2 Processing by the Processor will comply with the Data Protection Legislation.
2.3 The Processor will only conduct Processing in accordance with the Controller’s instructions and / or in accordance with the obligations arising from this Agreement in connection with the Services.
2.4 The Processor may be required to conduct Processing for other reasons specifically agreed to with the Controller.
2.5 The Processor will immediately inform the Controller if, in its opinion, an instruction infringes the Data Protection Legislation.
2.6 The Processor will only conduct Processing in countries that ensure an adequate level of protection in accordance with the Data Protection Legislation.
2.7 The Processor will not in any way transfer Personal Data outside such countries other than with the prior written consent of the Controller.
3. Co-operation with the Processor
3.1 The Processor will assist the Controller in ensuring its compliance with the obligations pursuant to articles 32 to 36 of the UK-GDPR, taking into account the nature of the Processing and the information available to the Processor.
3.2 If this assistance goes beyond what is legally or may reasonably to be expected from the Processor, the Parties will determine in advance and in writing (including by e-mail) what rate (hourly) the Processor can apply when providing this assistance.
4. Sub-processors
4.1 The Processor will not engage any Sub-processor other than:
(a) as permitted pursuant to this Agreement; or
(b) with the Controller’s written approval.
4.2 Notwithstanding clause 4.1, the Controller, gives its general consent:
(a) that the Processor uses Sub-processors in connection withs its delivery of the Services;
4.3 The Processor will notify the Controller of any intended changes concerning the addition, removal, or replacement of a Sub-processor in such timely fashion that the Controller has the opportunity to object to any proposed changes.
4.4 Within 4 weeks of the receipt of such notice from the Processor, the Controller may object to the addition or change on reasonable grounds.
4.5 In relation to clause 4.4, the following circumstances are automatically considered to be reasonable grounds – a Sub-processor is:
(a) established outside of the EEA;
(b) not bound by binding corporate rules;
(c) not certified under legislation such as the DPF;
(d) not willing to enter into a model contract for the transfer of Personal Data to third countries with the Controller;
(e) in the opinion of the Controller (acting reasonably), unlikely to be able to comply with the obligations imposed on the Processor in accordance with this Agreement, as evidenced by the Controller; or
(f) in the opinion of the Controller (acting reasonably), likely to introduce an unreasonable risk to the protection of Personal Data, as evidenced by the Controller.
4.6 Where the Controller objects in accordance with clause 4.4, the Processor may propose an alternative manner so as to proceed with the relevant Services within a reasonable timeframe.
4.7 If such proposal under clause 4.6, is unacceptable to the Controller, or where the Processor will not make such a proposal, the Controller may terminate (opzeggen) the part of the Services which cannot be provided without the addition or replacement of a relevant Sub-processor.
4.8 The Processor is responsible and liable for the actions of any Sub-processor it engages in connection with the performance of its obligations under this Agreement.
4.9 In any event, the Processor will impose on any and all Sub-processors equivalent obligations as set out in this Agreement.
5. Requests for Personal Data
5.1 Request by the Controller
5.1.1 Should the Controller require access to Personal Data, the Processor will immediately give such access upon receipt of such request from the Controller.
5.1.2 Within four (4) weeks of such request from the Controller, the Processor will:
(a) provide:
(i) a copy to the Controller of all Personal Data and / or all Personal Data relating to a certain individual in the Processor’s possession as well as a copy of all relevant documents; and
(ii) an overview of all systems connected with Processing
in a format that the Controller reasonably requests, unless such information is already available to the Controller;
(b) delete, block, or correct certain Personal Data in accordance with the Controller’s instructions; or
(c) document that any request under clause 5.2.2(b) has not been completed and the reasons thereof.
5.2 Requests by a Data Subject
5.2.1 If the Processor receives any requests (such as requests for access, rectification, data erasure, or restriction of Processing) from a Data Subject, the Processor will forward such request to the Controller without delay.
5.2.2 Within four (4) weeks of a request under clause 5.2.1, the Processor will:
(a) provide the Controller with a copy of all Personal Data relating to this Data Subject which the Processor has in its possession, as well as a copy of all relevant documents; and
(b) an overview of all systems connected with Processing,
in a format that the Controller reasonably requests, unless such information is already available to the Controller.
5.3 Requests by a competent authority
5.3.1 In the event that a competent authority makes a legally binding request for the disclosure of any Personal Data, the Processor will immediately notify the Controller thereof, unless the Processor is legally prohibited from doing so.
6. Confidentiality, security, and right to audit
6.1 The Processor will implement appropriate technical and organizational measures in accordance with article 32 of the UK-GDPR to protect Personal Data from destruction, loss or unauthorized disclosure or other unlawful Processing, including unnecessary collection and further Processing.
6.2 The Processor will ensure that only its authorized personnel who need access to Personal Data for Processing will have such access.
6.3 The (categories of) personnel that will have access to Personal Data are listed in the Annex.
6.4 In relation to the (categories of) personnel identified under clause 6.3, the Processor will:
(a) instruct them appropriately;
(b) ensure that they respect the confidentiality of the Personal Data; and
(c) make them aware of their responsibilities and obligations under the Data Protection Legislation.
6.5 The Processor will:
(a) protect the Personal Data by applying a set of control measures to the input, the Processing, and the output;
(b) ensure the relevant IT processes are controlled by a set of control measures; and
(c) all such measures in this clause 6.5 are recorded in a control framework.
7. Data Breach
7.1 In the event of a Data Breach by the Processor or its Sub-processors, the Processor will notify the Controller:
(a) without unreasonable delay; and
(b) at latest within 36 hours after becoming aware of the Data Breach.
7.2 The Processor will provide the Controller with all reasonably required information, including at least the information referred to in article 33(3) of the UK-GDPR, to enable the Controller to notify (if required by article 33 and 34 of the UK-GDPR) the Data Protection Authority and, if any, the relevant Data Subjects.
7.3 When providing the information as referred to in clause 7.2 the Processor will provide the information to the Controller in the way that such information would be required by the Data Protection Authority via its standard model forms.
7.4 Furthermore, the Processor’s data protection officer (and legal counsel, if any) will be available for any follow-up questions that the Controller may have.
7.5 The Processor will notify the Controller if any new, relevant developments occur after the notification made to the Controller in accordance with clause 7.1, including about the measures the Processor (and its Sub-processors) undertake to limit the consequences of the Data Breach.
7.6 If Personal Data has been damaged or has otherwise become unusable due to a Data Breach, the Processor will attempt to repair it without delay and free of charge based on its applicable backup and / or disaster recovery procedures.
8. Liability
8.1 The Processor is liable to the Controller as a result of, or in relation to, this Agreement insofar and to the extent as agreed upon in this Agreement, whereby it is agreed that Processor’s liability will never exceed an amount equal to the annual value of Lighting Reality PRO licences held at the time of the breach in the names of the Controller’s employees affected by the breach.
9. Force Majeure
9.1 The Processor will notify the Controller without undue delay in the event that Processor is unable to fulfil its obligations under this Agreement in whole or in part as a result of force majeure.
10. Amendments
10.1 Any changes to this Agreement and related annex will only be valid if made in writing signed by both Parties.
11. Assignment
11.1 A Party is not permitted to assign its rights and / or obligations under this Agreement to a third party, without the other Party’s prior written consent (such consent not to be unreasonably withheld or delayed).
12. Duration
12.1 This Agreement will enter into force on the latest date of signature by the Parties and will remain in force until the Controller serves notice in writing to the Processor to terminate or until the Processor no longer Processes Personal Data on behalf of the Controller.
13. Rights and duties
13.1 The rights and duties in this Agreement, which by their nature and content are intended to remain in effect, will remain in full effect after the termination thereof.
14. Return / destruction of Personal Data
14.1 Following termination of this Agreement, the Processor will transfer all Personal Data to the Controller within a reasonable period of time and / or will, upon the Controller’s request:
(a) destroy or delete all Personal Data, including all (copies of) electronically recorded Personal Data; and
(b) confirm in writing to the Controller that all Personal Data has been returned, destroyed, or deleted.
14.2 If the Processor is required by law to carry on Processing, it will fulfil the Controller’s request under clause 14.1 insofar as legally permitted.
14.3 At the request and expense of the Controller, the Processor will provide the written confirmation required by this clause 14 to the Controller.
15. Severability
15.1 If any of the provisions of this Agreement is or becomes null and void or is declared null and void, the remaining provisions will be unaffected and will continue in full force and effect.
16. Governing law
16.1 This Agreement will be governed by the laws of England & Wales.
17. Jurisdiction
17.1 All disputes will be submitted to the competent court in the United Kingdom.
Annex
1. When performing the services as indicated in this Agreement, the Processor conducts Processing.
2. Depending on the services provided, the following (categories) of personnel may have access to Personal Data:
a. access to specific Personal Data owned or controlled by the Controller by HR employees, finance employees, senior management, service desk employees and / or directors of the Processor; and
3. Depending on the services provided, the following categories of Data Subject(s) may be subject to Processing:
• Names and contact details
• Addresses
• Purchase or account history
• Payment details
• Account information
• Website user information (including user journeys and cookie tracking)
• Information relating to compliments or complaints
• Marketing preferences
• Records of consent, where appropriate
• Financial transaction information
• Correspondence
• Addresses
• Purchase or account history
• Payment details
• Account information
• Website user information (including user journeys and cookie tracking)
• Information relating to compliments or complaints
• Marketing preferences
• Records of consent, where appropriate
• Financial transaction information
• Correspondence
July 2025