Data Processing Agreement
according to Art. 28 GDPR

1. Introduction, Scope, Definitions

1.1. What is the structure of this agreement?

This is a Data Processing Agreement that considers two potential modes of implementation by GotPhoto.

The photographer either acts as Controller. The term “Controller” is defined within the GDPR as follows:

“Controller” is the natural person or legal entity, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing personal data.

If the photographer obtains the consent for lawful processing of personal data directly from a data subject (or of the legal guardian/pupil at legal age in case of school and nursery photography) or gathers personal data directly based on Art. 6 par. 1 GDPR, the photographer is defined as the controller. GotPhoto then acts as a processor for photographers. These are possible examples how a photographer can enter the position of a controller:

Alternatively, the photographer acts as a processor. The term “Processor” is defined within the GDPR as follows:

“Processor” is a natural person or legal entity, public authority, agency or other body which processes personal data on behalf of the controller

If the photographer receives the data on the basis of a data processing agreement (“DPA”) from and on behalf of an ordering party, the ordering party acts as the controller, the photographer as the processor and GotPhoto as the Subprocessor. 

1.2. Scope and definitions

This agreement applies to all activities in which GotPhoto, employees of GotPhoto or Subprocessors commissioned by GotPhoto process personal data that GotPhoto receives from the photographer.

Terms used in this agreement are to be understood as defined in Art. 4 of the GDPR. Insofar as declarations have to be made below “in writing”, the written form is meant as defined in Section 126 of the German Civil Code (“GCC”). In addition, declarations may also be made in other forms insofar as adequate verifiability is ensured.

2. Subject and duration of processing

2.1. Subject

The processing is based on the commissioning of GotPhoto by the photographer via the creation of an account on the websites of GotPhoto.

The commission refers to all services by GotPhoto used by the photographer or the customers of the photographer according to the principal contract (e.g. processing of orders or production and shipping of photo products). GotPhoto acts as a (sub)processor at all times.

2.2. Duration

The duration of this agreement corresponds to the duration of the main contract.

3. Details of the processing

Information on the nature and purpose of the processing, the types of personal data and the categories of data subjects are described in Annex 1 (Processing Details), differentiated according to the modes outlined in Section 1 of this Agreement.

4. Obligations of GotPhoto

4.1. GotPhoto processes personal data exclusively as contractually agreed or as instructed by the school/kindergarten or photographer separately, unless GotPhoto is legally obliged to a certain processing. If such obligations exist for them, GotPhoto will inform the photographer before processing, provided that the communication is not prohibited by law. 

4.2. GotPhoto confirms that it is aware of the relevant general data protection regulations.

4.3. GotPhoto assures that both it and its employees have committed to confidentiality. 

4.4. In conjunction with the commissioned processing, GotPhoto will assist the photographer, taking into account the nature of the processing and the information available to him, in drawing up and updating the list of processing activities and in complying with the obligations set out in articles 32 to 36 of the GDPR. However, supporting activity by GotPhoto is ensured only by sharing information within the communication channels thereof (e.g., support, website, etc.).

4.5. If data subjects assert rights against it, GotPhoto undertakes, given the nature of processing and where possible, to assist the photographer with suitable technical and organisational measures in response to applications to the necessary extent, as far as the processing in the order is concerned.

4.6. Information to third parties or those affected may only be given by GotPhoto with the prior consent of the school/kindergarten. It will forward questions addressed directly to it immediately to the school/kindergarten.

4.7. The data is processed place exclusively on the territory of the Federal Republic of Germany, in a member state of the European Union or in another Contracting State to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the photographer and may only take place if the special requirements of art. 44 et seq. of the GDPR are met. If the photographer acts as a processor, he ensures, by signing the agreement, that he will seek the appropriate school/kindergarten permission to engage Subprocessors in third countries, that GotPhoto may engage Subprocessors in third countries on behalf of the customer of the photographer acting as controller and conclude therewith EU standard contractual clauses (or EU standard privacy clauses). 

4.8. If the Photographer acts as a controller, he agrees to the use of Subprocessors in third countries by signing this agreement and authorises GotPhoto to conclude on his behalf EU standard contractual clauses (or EU standard privacy clauses) with these Subprocessors. Before engaging Subprocessors in a third country, GotPhoto will inform the photographers in text form so that the photographer knows which Subprocessor is involved and what activities he is undertaking.

4.9. GotPhoto is required to conclude Module 3 of the new EU Standard Contractual Clauses (Processor to Processor) with all Subprocessors if and to the extent that a data transfer to a third country takes place in the context of the subprocessing. GotPhoto must also oblige any Subprocessors accordingly. Prior to the assignment of Subprocessors in a third country, GotPhoto shall inform the photographer in text form so that the Photographer is aware of which sub-processor is involved and which activities it will perform.  

5. Technical and organisational measures

5.1. GotPhoto takes the necessary measures required under art. 32 GDPR. Considering the stage of technology developments, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different occurrence probability and severity of the risk to the rights and freedoms of individuals, GotPhoto will take appropriate technical and organisational measures to ensure the appropriate level of risk protection.

5.2. The data security measures described at www.gotphoto.co.uk/dpa-attachments at the time of the signature are defined as binding. They define the minimum required by GotPhoto.

5.3. The data security measures can be adapted to the technical and organisational development as long as the level agreed here is not lower. Changes are to be communicated to the photographer immediately by e-mail or within a global means of communication within the GotPhoto system (e.g. Newsfeed). Significant changes are to be agreed between the parties.

5.4. GotPhoto assures that the data processed in the order will be strictly separated from other data. The logical separation of data is sufficient. 

5.5. Dedicated data carriers originating from or used by the photographer or his clients are specially marked and subject to ongoing administration. They are to be stored at all times and must not be accessible to unauthorised persons. 

6. Regulations for the correction, erasure and blocking of data

6.1. Data processed under the terms of the order will be corrected, erased or blocked by GotPhoto only in accordance with the agreement or according to the instructions of the photographer. 

6.2. GotPhoto will follow the corresponding instructions from the photographer at all times, unless GotPhoto believes that these violate legal regulations (e.g. accounting regulations for the storage of billing data).

7. Subprocessing

7.1. At time of the signature the Subprocessors listed at www.gotphoto.co.uk/dpa-attachments with their name, address and order content, are engaged in the processing of personal data to the extent specified therein and approved by the photographer signing this agreement. The other obligations of GotPhoto towards Subprocessors set forth here will remain unaffected.

7.2. The photographer agrees that GotPhoto involves Subprocessors. Before consulting or replacing the Subprocessor, GotPhoto informs the photographer via a global means of communication within the GotPhoto system (e.g. Newsfeed).

7.3. The photographer has the right, within two weeks of receiving information about the Subprocessor, to file a written objection against the use of the Subprocessor for material reason. If no objection is raised within the specified period, this is deemed to be the photographer’s consent to the use of this Subprocessor.

7.4. GotPhoto must ensure that the obligations of this agreement are transferred to the Subprocessor and that they are regularly checked for compliance.

7.5. Subcontractors will be contractually obliged to impose at least the same data protection obligations as are specified in this agreement. On request, the school/kindergarten will be given access to the relevant agreements between the photographer and the Subprocessor.

7.6. The rights of the photographer must be effectively exercised against the Subprocessor. In particular, the photographer must be entitled to carry out inspections of Subprocessors at any time, to the extent specified here, or have them carried out by third parties.

7.7. GotPhoto selects Subprocessors carefully, with particular regard to the suitability of the technical and organisational measures taken by the Subprocessor.

7.8. The forwarding of data processed in the order to the Subprocessor is only permissible if GotPhoto is convinced that the Subprocessor completely fulfils its obligations.

7.9. GotPhoto may also use Subprocessors in third countries. The requirements of Section 4.9. of this DPA will apply. 

7.10. If the Subprocessor does not fulfil its obligations, GotPhoto will be liable to the photographer.

8. Rights and obligations of the photographer

8.1. Only the photographer or his client is responsible for assessment of the admissibility of the commissioned processing as well as for the protection of the rights of those concerned.

8.2. The Photographer will be sure to obtain a consent form from the guardian for the processing of personal data of a minor, for the purposes specified in this agreement if they are to be collected through the online shop and ordering process. 

8.3. The photographer is entitled reasonably to verify compliance with the data protection and contractual arrangements at the GotPhoto himself or by third parties, in particular by obtaining information and viewing stored data and data processing programs and other on-site inspections. The persons entrusted with the audit should be allowed access and view by GotPhoto, if necessary. GotPhoto is required to provide necessary information, demonstrate procedures and provide evidence necessary to conduct an inspection. An inspection can be carried out solely in agreement with GotPhoto and under a 2-week registration deadline.

8.4. Inspections at GotPhoto have to be made without avoidable disruption of business operations. Unless otherwise indicated by the photographer for urgent reasons, inspections are made upon reasonable prior notice and during business hours of GotPhoto, and no more frequently than every 12 months. Unless the company provides proof of correct implementation of the agreed data protection duties, an inspection is only possible with a previously stated justified reasons.

9. Reporting obligations

9.1. GotPhoto will immediately inform the photographer of personal data protection breaches. Substantiated suspected cases are also to be communicated. The communication must contain at least the information specified in Art. 33 (3) GDPR. 

9.2. Any breach of contract or violations of data protection regulations or the provisions of this agreement by GotPhoto or its employees are also to be reported immediately.

9.3. GotPhoto informs the photographer immediately of audits or measures taken by supervisory authorities or other third parties, insofar as these relate to order processing.  

9.4. GotPhoto guarantees to assist the photographer in the exercise of his duties under art. 33 and 34 GDPR. This only refers, in so far as is necessary, to processes within the GotPhoto system and order data processing carried out by GotPhoto on behalf of the photographer.

10. Instructions

10.1. The photographer reserves a comprehensive right to give instructions regarding the processing of the order.

10.2. Instructions are to be sent to datenschutz@fotograf.de. In urgent cases, instructions may be given verbally by phone support. The photographer will confirm such instructions immediately in a documented manner.

10.3. GotPhoto will inform the photographer promptly if it believes that instruction given by the photographer violates any law or is disproportionate. GotPhoto is entitled to suspend execution of the relevant instruction until it is approved or changed by the photographer.

10.4. GotPhoto must document instructions given to it and their implementation.

11. Termination of the agreement

11.1. On termination of the agreement or at any time at the request of the photographer, GotPhoto will destroy the data processed by the customer on behalf of the photographer. Furthermore, any existing copies of the data will be destroyed. The destruction must exclude the possibility to recover even residual information with reasonable effort. 

11.2. GotPhoto is required to ensure immediate return or deletion of the data with Subprocessors as well.

11.3. Documentation that serves as proof of proper data processing must be retained by GotPhoto in accordance with the respective storage periods, even after the end of the agreement. 

12. Exceptional right of termination

12.1. The Photographer may terminate the Master Agreement and this Agreement at any time without observing a notice period (“Extraordinary Termination”) in the event of a serious breach by GotPhoto of this privacy policy or the terms of this Agreement, or GotPhoto refuses to grant the Photographer any audit rights.

12.2. A violation is deemed serious, if GotPhoto does not fulfil considerably the obligations stipulated in this agreement, in particular the agreed technical and organisational measures.

12.3. The photographer gives GotPhoto a reasonable time to remedy in case of insignificant violations. If the remedial action does not occur in time, the photographer is entitled to extraordinary termination as described in this section.

12.4. GotPhoto is entitled to extraordinary termination if the photographer objects to the commissioning of a Subprocessor in accordance with Chapter 6 of this agreement and no agreement can be reached.

13. Liability

The liability of the contractual parties is defined by the provisions of Art. 82 GDPR.

14. Other provisions

14.1. Both parties are obliged to treat all knowledge of business secrets and data security measures of another party acquired in connection with the contractual relationship as well as information about the termination of the agreement as confidential. In case of doubt as to whether the information is subject to confidentiality, it must be treated as confidential until written approval by the other party. Both parties are entitled to use information from this agreement for the purpose of exercising the opportunity of exculpation under art. 82 para. 3 GDPR and to disclose it to third parties.

14.2. The written form is required for additional agreements.

14.3. The objection to the right of retention within the meaning of Section 273 GCC is excluded with regard to the data processed in the order and the associated data carrier.

14.4. Invalidity of individual parts of this agreement do not affect the validity of this agreement.

14.5. These Clauses shall be governed by the law of the Federal Republic of Germany. Any dispute arising from these Clauses shall be resolved by the courts of the Federal Republic of Germany.

Annex 1 – Processing details

1. Photographer as a Controller

1.1. Nature and purpose of processing

The nature and purpose of the processing of personal data by GotPhoto are derived from the main contract. This includes in particular the following activities:

These activities serve the following purposes in particular:

1.2. Type of personal data

The following data can be processed:

This data is provided by the Photographer within the GotPhoto system or by the Photographer’s customers within the online store in the course of the settlement process. 

1.3. Categories of data subjects

2. Photographer as a Processor

2.1. Nature and purpose of processing

Processing of personal data of the Photographer’s customers or potential customers of the Photographer. This includes in particular: 

The purposes of these processing operations are:

2.2. Type of data

The following data are processed:

This data is provided by the Photographer within the GotPhoto system. 

2.3. Categories of data subjects

The persons concerned by the processing are:

Last update: 01/07/2022