Data Processing Agreement

1. Introduction, Scope, Definitions

1.1. GotPhoto as Processor or Subprocessor

This is a data processing agreement between the Studio and GotPhoto, Inc., 433 Broadway, New York, NY 10013, United States (“GotPhoto”)

The Studio may act as Controller. The term “Controller” is defined within this agreement as follows:

“Controller” is the natural person or legal entity, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing personal information.

If the Studio obtains the consent for lawful processing of personal information directly from an individual (or in the case of a minor, from their parent(s) or legal guardian) or otherwise lawfully gathers personal information, the Studio is considered a data controller. In this case GotPhoto then acts as a processor for the Studio. This is a non-exhaustive list of examples how the Studio can become a controller:

Parent or legal guardian fills out and signs a physical QR code card consenting to a minor’s participation in a photoshoot and the provision of photos for sale to the parent or legal guardian,
Parent or legal guardian registers a minor for “photo day” via a notice in the facility,
Parent or legal guardian registers a minor online for a photoshoot using an online form,
Person of legal age consents to the photoshoot and sale of photos through implied behaviour,
Person of legal age consents to the use of personal information for sending e-mail reminders in the Studio’s online store.

Alternatively, the Studio acts as a processor. The term “Processor” is defined within this agreement as follows:

“Processor” is a natural person or legal entity, public authority, agency or other body which processes personal information on behalf of the controller.

If the Studio receives the data on the basis of a data processing agreement with a third party (who is not the individual, whose personal information is processed, or their parent or legal guardian), e.g. a school / nursery, this third party acts as the controller, the Studio as the processor and GotPhoto as the subprocessor.

The term “Processing” or “To Process” is defined in this agreement as follows:

“Processing” is the collection, use or disclosure of personal information in the course of commercial activities.

1.2 Scope and Definitions

This agreement applies to all activities in which GotPhoto, employees of GotPhoto or subprocessors commissioned by GotPhoto process personal information that GotPhoto receives from the Studio.

Terms not specifically defined in this agreement are to be understood as defined in the applicable data protection laws.

“Data Protection Laws” means, with regards to GotPhoto’s processing of personal information, any applicable United States or Canadian federal, state or local law, rule, regulation, statute, or other enactment, relating to data use, security, protection and privacy as well as applicable data protection regulations of other countries.

2. Subject and Duration of Processing

2.1 Subject

The processing is based on the conclusion of a contract between GotPhoto and the Studio (“Principal Contract”) through the Studio’s creation of a user account on the GotPhoto website and Studio’s acceptance of GotPhoto’s general terms and conditions in their up-to-date version.

The Principal Contract is for the provision of services by GotPhoto to Studio or the customers of the Studio (e.g. processing of orders or production and shipping of photo products). GotPhoto acts as a (sub)processor at all times.

2.2 Duration

The duration of this agreement corresponds to the duration of the Principal Contract.

3. Details of the Processing

Information on the nature, the purpose of the processing, the types of personal information processed and the categories of individuals, whose personal information is processed, are detailed in Annex 1 (Processing Details).

4. Obligations of GotPhoto

4.1 GotPhoto processes personal information exclusively as contractually agreed or as instructed by the Studio, unless GotPhoto is legally required to process personal information in a certain way. If such legal requirements exist, GotPhoto will inform the Studio before processing any data, provided that the communication is not prohibited by law.

4.2 GotPhoto confirms that it is aware of the applicable data protection laws.

4.3 GotPhoto and its employees are committed to keeping all personal information confidential.

4.4 GotPhoto will make every reasonable effort to ensure the accuracy and completeness of the personal information.

4.5 If GotPhoto receives a request for access to, correction or deletion of personal information, a no not sell my data request or an unsubscribe request from an individual, GotPhoto will promptly advise that individual to make the request to Studio. GotPhoto will notify Studio of any such request.

4.6 GotPhoto will only correct, erase or block personal information processed in accordance with this agreement or the instructions of the Studio.

4.7 Unless required by applicable data protection laws, GotPhoto will not provide information to individuals or third parties directly without the prior consent of the Studio. GotPhoto will forward requests related to personal information processed, which are addressed to it immediately to the Studio.

5. Technical and Organizational Measures

5.1 GotPhoto takes the necessary measures to protect the personal information. Considering the state of the art, the implementation costs and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, GotPhoto will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

5.2 The data security measures displayed at https://www.gotphoto.com/technical-and-organizational-measures/ at the time the contract is concluded shall apply. They define the minimum level of security measures to be implemented by GotPhoto.

5.3 The data security measures can be adapted in accordance with technical and organizational developments as long as the level agreed does not deteriorate. Changes will be communicated to the Studio by e-mail or within a global means of communication within the GotPhoto system (e.g. Newsfeed).

5.4 GotPhoto will ensure that the personal information processed under this agreement will be strictly separated from other data. The logical separation of data is sufficient.

5.5 Data storage media originating from or used by the Studio or his customers will be specifically marked and subject to ongoing monitoring. Such media will be properly stored at all times and will not be accessible to unauthorized persons.

6. Data Processing outside of the United States

6.1 Studio acknowledges and consents that personal information may be processed outside of the United States by GotPhoto using cloud computing or other information technology infrastructure selected by GotPhoto and managed using third parties. Studio confirms that he has provided all required notices and information to and obtained all required consents and approvals for such processing from the affected individuals.

6.2 If the Studio acts as a processor, he will seek the appropriate permission to engage subprocessors outside of the United States. If the Studio acts as a controller, he agrees to the use of subprocessors outside of the United States and authorizes GotPhoto to engage such subprocessors.

6.3 GotPhoto processes personal information on the territory of the United States, the Federal Republic of Germany, in a member state of the European Union or the European Economic Area. Any transfer to a third country will only take place if appropriate safeguards have been put in place by GotPhoto and on condition that enforceable rights and effective legal remedies for the individuals affected by the processing of personal information are available. GotPhoto will inform the Studio prior to such transfer to a third country in accordance with section 7. “Subprocessing” of this agreement.

7. Subprocessing

7.1 The Studio agrees to GotPhoto engaging subprocessors. The subprocessors listed at https://www.gotphoto.com/technical-and-organizational-measures/ with their name, address and processing activities, are engaged in the processing of personal information to the extent specified.

7.2 GotPhoto must ensure that the contract with the subprocessor contains the same data protection obligations stipulated in this agreement and check compliance by subprocessor with these data protection obligations regularly.

7.3 GotPhoto selects subprocessors carefully, with particular regard to the suitability of the technical and organizational measures taken by the subprocessor.

7.4 The sharing of personal information processed under this agreement with the subprocessor is only permissible if GotPhoto is convinced that the subprocessor fully complies with its data protection obligations.

7.5 GotPhoto may use subprocessors in third countries. Section 6.3. of this agreement will apply.

8. Obligations of the Studio

8.1 The Studio, or if the Studio acts as a processor, then the data controller, are responsible to determine whether the data processing takes place in accordance with legal regulations and the rights of the individuals are protected.

8.2 If consent is required under applicable law, the Studio will obtain the consent from the individual and if the individual is a minor, from the minor’s parent(s) or legal guardian, for the processing of personal information for the purposes specified in this agreement.

9. Audits and Investigations

9.1 Upon reasonable request by Studio, GotPhoto will provide information to supervisory authorities pertaining to GotPhoto’s processing of personal information. GotPhoto shall demonstrate its compliance with the obligations under this agreement and any applicable privacy laws.

9.2 To the extent required by applicable data protection laws, GotPhoto will allow for and contribute to audits conducted by Studio or a third party mandated by Studio to conduct the audit. Any such audit must be tailored to what is reasonably necessary to verify GotPhoto’s compliance with this agreement and applicable data protection laws. The Studio may, in particular, request information, view stored data and data processing programs and conduct on-site inspections. GotPhoto is required to provide the necessary information, demonstrate procedures and provide any evidence necessary to conduct an inspection.

9.3 An inspection can be carried out upon two weeks’ notice to GotPhoto and must be carried out during GotPhoto’s normal business hours. In connection with any such audit, Studio or the appointed third party auditor will: (a) observe reasonable on-site access and other restrictions reasonably imposed by GotPhoto, (b) comply with reasonable and applicable policies and procedures provided by GotPhoto, and (c) ensure not to disrupt GotPhoto’s business operations.

9.4 GotPhoto will reasonably cooperate with Studio, at Studio’s cost, in the event of an investigation, inquiry, complaint, suit or other legal proceeding regarding any actual or alleged material breach of applicable privacy laws or this agreement.

10. Reporting Obligations

10.1 GotPhoto will inform the Studio immediately of a data security breach involving personal information.

10.2 GotPhoto will also report any violations of data protection regulations or provisions of this agreement by GotPhoto or its employees.

10.3 GotPhoto informs the Studio immediately of audits or measures taken by supervisory authorities or other third parties, insofar as these relate to data processing.

10.4 To the extent required by the applicable data protection laws, GotPhoto will assist the Studio to comply with its reporting obligations to any supervisory authorities. This assistance is limited to existing information and processes within the GotPhoto system as well as information relating to the data processing carried out by GotPhoto on behalf of the Studio.

11. Instructions

11.1 The Studio reserves the right to give instructions regarding the processing of personal information.

11.2 Instructions can be sent to privacy@gotphoto.com. In urgent cases, instructions may be given verbally to GotPhoto’s phone support. The Studio will confirm such instructions immediately in a documented manner.

11.3 GotPhoto will inform the Studio promptly, if it believes that instructions given by the Studio violate any law or are unreasonable. GotPhoto is entitled to suspend execution of the relevant instruction until it is confirmed or changed by the Studio.

11.4 GotPhoto must document instructions given to it and their implementation.

12. Termination of the Agreement

12.1 Upon termination of the agreement or upon request by the Studio at any time, GotPhoto will delete the personal information processed on behalf of the Studio. Furthermore, any existing copies of the personal information will be destroyed. The deletion of the personal information must be executed in a way that circumvents the recovery of residual data.

12.2 GotPhoto must ensure that any subprocessors immediately return or delete the personal information processed by them.

12.3 Documentation that serves as proof of proper data processing will be retained by GotPhoto in accordance with the required storage periods, even after the end of the agreement.

13. Termination for Cause

13.1 The Studio may terminate the Principal Contract and this agreement at any time (“Termination for Cause”) in the event of a serious breach by GotPhoto of the terms of this agreement.

13.2 A violation is deemed serious, if GotPhoto does not fulfil material obligations stipulated in this agreement, in particular the implementation of the agreed technical and organizational measures.

13.3 The Studio will allow GotPhoto to remedy the serious breach. If the remedial action does not occur in a timely manner, as established between the parties, the Studio is entitled to terminate for cause.

14. Liability

The liability of the parties shall be determined in accordance with section 12. of the “General Terms and Conditions of GotPhoto, Inc.”, i.e. the Principal Contract.

15. Miscellaneous

15.1 Either party will treat the proprietary information and the data security measures of the other party as confidential. In case of doubt as to whether the information is subject to confidentiality, it must be treated as confidential until a written statement of release from confidentiality is provided by the other party. The obligation of confidentiality shall survive the termination of this agreement.

15.2 Any additional agreements between the parties must be made in writing.

15.3 If a section of this agreement is found to be invalid by a court of law, this shall not affect the validity of any other section of this agreement.

Note: This data protection agreement is valid without signatures of the parties and will come into effect when the Studio agrees to GotPhoto’s general terms and conditions, which reference and include this data protection agreement.

Annex 1 – Processing Details

1. Studio as Controller

1.1 Nature and Purpose of Processing

The nature and purpose of the processing of personal information by GotPhoto are derived from the Principal Contract. This includes the following activities:

the collection of personal information,
the storage of personal information,
the deletion of personal information,
the arrangement of personal information,
the collection of personal information within the online shop,
the adaptation and modification,
the transmission to possible service providers,
the provision of personal information,
the processing of customer inquiries via the contact form in the online shop,
web audience analysis.

These activities serve the following purposes:

Support for the processing of orders (for example, production and shipping of image products),
Support within the GotPhoto system (e.g. information on complaints and payment status),
Provision, sometimes password-protected, of photos for online sale,
Automatic sorting of photos,
Sending e-mails to customers and potential customers of the Studio for important notifications,
Design of GotPhoto services in accordance with customer needs,
Provision of materials about photography with the GotPhoto system,
Payment processing, if a payment method is chosen by the customer, which requires data processing for technical implementation (e.g. direct debit or credit card payment).

1.2 Type of Personal Information

The following data can be processed:

Photos of persons,
Specification data for sorting (classes and group names),
First and last names of customers, potential customers and persons photographed or to be photographed,
Contact information (especially addresses, e-mail addresses, phone numbers),
Payment information (such as credit card numbers or account numbers),
Usage and behaviour data in the online shop.

This data is provided by the Studio within the GotPhoto system or by the Studio’s customers within the online store during the order process.

1.3 Categories of Individuals

Persons photographed by the Studio
Customers of the Studio who order within the online store

2. Studio as Processor

2.1. Nature and Purpose of Processing

The nature and purpose of the processing of personal information by GotPhoto are derived from the Principal Contract. This includes the following activities:

the collection of personal information
the storage of personal information
the deletion of personal information
arranging personal information
adaptation and modification
the transmission to possible service providers
the provision of personal information

The purposes of these processing operations are:

Support for the processing of orders (e.g. production and dispatch of the image products),
Provision, sometimes password-protected, of photos for online sale,
Automatic sorting of the photos,
Sending e-mails to customers and potential customers of the Studio for important notifications,
Design of the GotPhoto services in accordance with customer needs,
Provision of materials about photography with the GotPhoto system.

2.2 Type of Data

The following data are processed:

Photos of persons,
Specification data for sorting (classes and group names),
First and last names of customers, potential customers and persons photographed or to be photographed,
Contact data (in particular addresses, e-mail addresses, phone numbers).

This data is provided by the Studio within the GotPhoto system.

2.3 Categories of Individuals

The individuals concerned by the processing are: