Data Processing Agreement

1. Introduction, Scope, Definitions

1.1 GotPhoto as Processor or Subprocessor

This is a data processing agreement between the Photographer and Fotografen Online Service GmbH, Hausvogteiplatz 12, 10117 Berlin, Germany (“GotPhoto”)

The Photographer may act as Controller. The term “Controller” is defined within this agreement as follows:

“Controller” is the natural person or legal entity, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing personal information.

If the Photographer obtains the consent for lawful processing of personal information directly from an individual (or in the case of a minor, from their parent(s) or legal guardian) or otherwise lawfully gathers personal information, the Photographer is considered a data controller. In this case GotPhoto then acts as a processor for the Photographer. This is a non-exhaustive list of examples how the Photographer can become a controller:

Parent or legal guardian fills out and signs a physical QR code card consenting to a minor’s participation in a photoshoot and the provision of photos for sale to the parent or legal guardian,
Parent or legal guardian registers a minor for “photo day” via a notice in the facility,
Parent or legal guardian registers a minor online for a photoshoot using an online form,
Person of legal age consents to the photoshoot and sale of photos through implied behaviour,
Person of legal age consents to the use of personal information for sending e-mail reminders in the Photographer’s online store.

Alternatively, the Photographer acts as a processor. The term “Processor” is defined within this agreement as follows:

“Processor” is a natural person or legal entity, public authority, agency or other body which processes personal information on behalf of the controller.

If the Photographer receives the data on the basis of a data processing agreement with a third party (who is not the individual, whose personal information is processed, or their parent or legal guardian), e.g. a school / nursery, this third party acts as the controller, the Photographer as the processor and GotPhoto as the subprocessor.

The term “Processing” or “To Process” is defined in this agreement as follows:

“Processing” is the collection, use or disclosure of personal information in the course of commercial activities.

1.2 Scope and Definitions

This agreement applies to all activities in which GotPhoto, employees of GotPhoto or subprocessors commissioned by GotPhoto process personal information that GotPhoto receives from the Photographer.

Terms not specifically defined in this agreement are to be understood as defined in part 1 section 2 of the Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Subject and Duration of Processing

2.1 Subject

The processing is based on the conclusion of a contract between GotPhoto and the Photographer (“Principal Contract”) through the Photographer’s creation of a user account on the GotPhoto website and Photographer’s acceptance of GotPhoto’s general terms and conditions in their up-to-date version.

The Principal Contract is for the provision of services by GotPhoto to Photographer or the customers of the Photographer (e.g. processing of orders or production and shipping of photo products). GotPhoto acts as a (sub)processor at all times.

2.2 Duration

The duration of this agreement corresponds to the duration of the Principal Contract.

3. Details of the Processing

Information on the nature, the purpose of the processing, the types of personal information processed and the categories of individuals, whose personal information is processed, are detailed in Annex 1 (Processing Details).

4. Obligations of GotPhoto

4.1. GotPhoto processes personal information exclusively as contractually agreed or as instructed by the Photographer, unless GotPhoto is legally required to process personal information in a certain way. If such legal requirements exist, GotPhoto will inform the Photographer before processing any data, provided that the communication is not prohibited by law.

4.2 GotPhoto confirms that it is aware of the applicable data protection regulations.

4.3 GotPhoto and its employees are committed to keeping all personal information confidential.

4.4 GotPhoto will make every reasonable effort to ensure the accuracy and completeness of the personal information.

4.5 If GotPhoto receives a request for access to or correction of personal information from an individual, GotPhoto will promptly advise that individual to make the request to Photographer. GotPhoto will notify Photographer of any such request.

4.6 GotPhoto will only correct, erase or block personal information processed in accordance with this agreement or the instructions of the Photographer.

4.7 GotPhoto will only provide information to individuals or third parties directly with the prior consent of the Photographer. GotPhoto will forward requests related to personal information processed, which are addressed to it immediately to the Photographer.

5. Technical and Organisational Measures

5.1 GotPhoto takes the necessary measures to protect the personal information. Considering the state of the art, the implementation costs and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, GotPhoto will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

5.2 The data security measures displayed at https://www.gotphoto.com/technical-and-organizational-measures-canada/ at the time the contract is concluded shall apply. They define the minimum level of security measures to be implemented by GotPhoto.

5.3 The data security measures can be adapted in accordance with technical and organisational developments as long as the level agreed does not deteriorate. Changes will be communicated to the Photographer by e-mail or within a global means of communication within the GotPhoto system (e.g. Newsfeed).

5.4 GotPhoto will ensure that the personal information processed under this agreement will be strictly separated from other data. The logical separation of data is sufficient.

5.5 Data storage media originating from or used by the Photographer or his customers will be specifically marked and subject to ongoing monitoring. Such media will be properly stored at all times and will not be accessible to unauthorized persons.

6. Data Processing outside of Canada

6.1 Photographer acknowledges and consents that personal information may be processed outside of Canada by GotPhoto using cloud computing or other information technology infrastructure selected by GotPhoto and managed using third parties. Photographer confirms that he has provided all required notices and information to and obtained all required consents and approvals for such processing from the affected individuals.

6.2 If the Photographer acts as a processor, he will seek the appropriate permission to engage subprocessors outside of Canada. If the Photographer acts as a controller, he agrees to the use of subprocessors outside of Canada and authorizes GotPhoto to engage such subprocessors.

6.3 GotPhoto processes personal information exclusively on the territory of the Federal Republic of Germany, in a member state of the European Union or the European Economic Area. Any transfer to a third country will only take place if appropriate safeguards have been put in place by GotPhoto and on condition that enforceable rights and effective legal remedies for the individuals affected by the processing of personal information are available. GotPhoto will inform the Photographer prior to such transfer to a third country in accordance with section 7. “Subprocessing” of this agreement.

7. Subprocessing

7.1 The subprocessors listed at https://www.gotphoto.com/technical-and-organizational-measures-canada/ with their name, address and processing activities, are engaged in the processing of personal information to the extent specified. By accepting the terms of this agreement the Photographer approves the subprocessors listed. GotPhoto’s obligations related to the subprocessors set forth in this agreement remain unaffected.

7.2 The Photographer agrees to GotPhoto engaging subprocessors. Before contracting or replacing a subprocessor, GotPhoto will inform the Photographer via a global means of communication within the GotPhoto system (e.g. Newsfeed) about the new subprocessor.

7.3 The Photographer has the right to file a written objection against the engagement of the subprocessor for material reason within two weeks of receiving information about the new subprocessor. If no objection is raised within the specified period, Photographer will be deemed to have consented to the new subprocessor.

7.4 GotPhoto must ensure that the contract with the subprocessor contains the same data protection obligations stipulated in this agreement and check compliance by subprocessor with these data protection obligations regularly.

7.5 GotPhoto selects subprocessors carefully, with particular regard to the suitability of the technical and organisational measures taken by the subprocessor.

7.6 The sharing of personal information processed under this agreement with the subprocessor is only permissible if GotPhoto is convinced that the subprocessor fully complies with its data protection obligations.

7.7 GotPhoto may use subprocessors in third countries. Section 6.3. of this agreement will apply.

7.8 If the subprocessor does not comply with its data protection obligations, GotPhoto will be liable to the Photographer.

8. Obligations of the Photographer

8.1 The Photographer, or if the Photographer acts as a processor, then the data controller, are responsible to determine whether the data processing takes place in accordance with legal regulations and the rights of the individuals are protected.

8.2 If consent is required under applicable law, the Photographer will obtain the consent from the individual and if the individual is a minor, from the minor’s parent(s) or legal guardian, for the processing of personal information for the purposes specified in this agreement.

9. Audits and Investigations

9.1 Upon reasonable request by Photographer, GotPhoto will provide information to supervisory authorities pertaining to GotPhoto’s processing of personal information. GotPhoto shall demonstrate its compliance with the obligations under this agreement and any applicable privacy laws.

9.2 GotPhoto will reasonably cooperate with Photographer, at Photographer’s cost, in the event of an audit, investigation, inquiry, complaint, suit or other legal proceeding regarding any actual or alleged material breach of applicable privacy laws or this agreement.

10. Reporting Obligations

10.1 GotPhoto will inform the Photographer immediately of a breach of security safeguards involving personal information.

10.2 GotPhoto will also report any violations of data protection regulations or provisions of this agreement by GotPhoto or its employees.

10.3 GotPhoto informs the Photographer immediately of audits or measures taken by supervisory authorities or other third parties, insofar as these relate to data processing.

10.4 GotPhoto will assist the Photographer to comply with his obligations under part 1 section 10.1 PIPEDA. This assistance is limited to existing information and processes within the GotPhoto system as well as information relating to the data processing carried out by GotPhoto on behalf of the Photographer.

11. Instructions

11.1 The Photographer reserves the right to give instructions regarding the processing of personal information.

11.2 Instructions can be sent to privacy@gotphoto.com. In urgent cases, instructions may be given verbally to GotPhoto’s phone support. The Photographer will confirm such instructions immediately in a documented manner.

11.3 GotPhoto will inform the Photographer promptly, if it believes that instructions given by the Photographer violate any law or are unreasonable. GotPhoto is entitled to suspend execution of the relevant instruction until it is confirmed or changed by the Photographer.

11.4 GotPhoto must document instructions given to it and their implementation.

12. Termination of the Agreement

12.1 Upon termination of the agreement or upon request by the Photographer at any time, GotPhoto will delete the personal information processed on behalf of the Photographer. Furthermore, any existing copies of the personal information will be destroyed. The deletion of the personal information must be executed in a way that circumvents the recovery of residual data.

12.2 GotPhoto must ensure that any subprocessors immediately return or delete the personal information processed by them.

12.3 Documentation that serves as proof of proper data processing will be retained by GotPhoto in accordance with the required storage periods, even after the end of the agreement.

13. Termination for Cause

13.1 The Photographer may terminate the Principal Contract and this agreement at any time (“Termination for Cause”) in the event of a serious breach by GotPhoto of the terms of this agreement.

13.2 A violation is deemed serious, if GotPhoto does not fulfil material obligations stipulated in this agreement, in particular the implementation of the agreed technical and organisational measures.

13.3 The Photographer will allow GotPhoto to remedy the serious breach. If the remedial action does not occur in a timely manner, as established between the parties, the Photographer is entitled to terminate for cause.

13.4 GotPhoto shall have the right to terminate for cause if the Photographer objects to the engagement of a subprocessor in accordance with section 7 “Subprocessing” of this agreement.

14. Liability

The liability of the parties shall be determined in accordance with section 12. of the “General Terms and Conditions of GotPhoto for Photographers located in Canada”, i.e. the Principal Contract.

15. Miscellaneous

15.1 Either party will treat the proprietary information and the data security measures of the other party as confidential. In case of doubt as to whether the information is subject to confidentiality, it must be treated as confidential until a written statement of release from confidentiality is provided by the other party. The obligation of confidentiality shall survive the termination of this agreement.

15.2 Any additional agreements between the parties must be made in writing.

15.3 If a section of this agreement is found to be invalid by a court of law, this shall not affect the validity of any other section of this agreement.

Note: This data protection agreement is valid without signatures of the parties and will come into effect when the Photographer agrees to GotPhoto’s general terms and conditions, which reference and include this data protection agreement.

Annex 1 – Processing Details

1. Photographer as Controller

1.1 Nature and Purpose of Processing

The nature and purpose of the processing of personal information by GotPhoto are derived from the Principal Contract. This includes the following activities:

The collection of personal information,
the storage of personal information,
the deletion of personal information,
the arrangement of personal information,
the collection of personal information within the online shop,
the adaptation and modification,
the transmission to possible service providers,
the provision of personal information,
the processing of customer inquiries via the contact form in the online shop,
web audience analysis.

These activities serve the following purposes:

Support for the processing of orders (for example, production and shipping of image products),
Support within the GotPhoto system (e.g. information on complaints and payment status),
Provision, sometimes password-protected, of photos for online sale,
Automatic sorting of photos,
Sending e-mails to customers and potential customers of the Photographer for important notifications,
Design of GotPhoto services in accordance with customer needs,
Provision of materials about photography with the GotPhoto system,
Payment processing, if a payment method is chosen by the customer, which requires data processing for technical implementation (e.g. direct debit or credit card payment).

1.2 Type of Personal Information

The following data can be processed:

Photos of persons,
Specification data for sorting (classes and group names),
First and last names of customers, potential customers and persons photographed or to be photographed,
Contact information (especially addresses, e-mail addresses, phone numbers),
Payment information (such as credit card numbers or account numbers),
Usage and behaviour data in the online shop.

This data is provided by the Photographer within the GotPhoto system or by the Photographer’s customers within the online store during the order process.

1.3 Categories of Individuals

Persons photographed by the Photographer
Customers of the Photographer who order within the online store

2. Photographer as Processor

2.1. Nature and Purpose of Processing

The nature and purpose of the processing of personal information by GotPhoto are derived from the Principal Contract. This includes the following activities:

the collection of personal information
the storage of personal information
the deletion of personal information
arranging personal information
adaptation and modification
the transmission to possible service providers
the provision of personal information

The purposes of these processing operations are:

Support for the processing of orders (e.g. production and dispatch of the image products),
Provision, sometimes password-protected, of photos for online sale,
Automatic sorting of the photos,
Sending e-mails to customers and potential customers of the Photographer for important notifications,
Design of the GotPhoto services in accordance with customer needs,
Provision of materials about photography with the GotPhoto system.

2.2 Type of Data

The following data are processed:

Photos of persons,
Specification data for sorting (classes and group names),
First and last names of customers, potential customers and persons photographed or to be photographed,
Contact data (in particular addresses, e-mail addresses, phone numbers).

This data is provided by the Photographer within the GotPhoto system.

2.3 Categories of Individuals

The individuals concerned by the processing are: