1. Introduction, Scope, Definitions

1.1. GotPhoto as Processor or Subprocessor

This is a data processing agreement between the Photographer and Fotografen Online Service GmbH, Hausvogteiplatz 12, 10117 Berlin, Germany (“GotPhoto”)

The Photographer may act as Controller. The term “Controller” is defined within the GDPR as follows:

“Controller” is the natural person or legal entity, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing personal data.

If the Photographer obtains the consent for lawful processing of personal data directly from a data subject (or in the case of a minor, from their parent(s) or legal guardian) or gathers personal data directly on the basis of Art. 6 par. 1 GDPR, the Photographer is considered a data controller. In this case GotPhoto then acts as a processor for the Photographer. This is a non-exhaustive list of examples how the Photographer can become a controller:

Alternatively, the Photographer acts as a processor. The term “Processor” is defined within the GDPR as follows:

“Processor” is a natural person or legal entity, public authority, agency or other body which processes personal data on behalf of the controller.

If the photographer receives the data on the basis of a data processing agreement with a third party (who is not the data subject or their parent / guardian), e.g. a school / nursery, this third party acts as the controller, the photographer as the processor and GotPhoto as the subprocessor. 

1.2. Scope and definitions

This agreement applies to all activities in which GotPhoto, employees of GotPhoto or subprocessors commissioned by GotPhoto process personal data that GotPhoto receives from the Photographer.

Terms used in this agreement are to be understood as defined in Art. 4 of the GDPR. Insofar as declarations have to be made “in writing”, the definition in Section 126 of the German Civil Code (“GCC”) shall apply. In addition, declarations may also be made in other forms insofar as adequate proof of such declaration is ensured.

2. Subject and Duration of Processing

2.1. Subject

The processing is based on the conclusion of a contract between GotPhoto and the Photographer (“Principal Contract”) through the Photographer’s creation of a user account on the GotPhoto website and Photographer’s acceptance of GotPhoto’s general terms and conditions in their up-to-date version.

The Principal Contract is for the provision of services by GotPhoto to Photographer or the customers of the Photographer (e.g. processing of orders or production and shipping of photo products). GotPhoto acts as a (sub)processor at all times.

2.2. Duration

The duration of this agreement corresponds to the duration of the Principal Contract.

3. Details of the Processing

Information on the nature, the purpose of the processing, the types of personal data processed and the categories of data subjects are detailed in Annex 1 (Processing Details).

4. Obligations of GotPhoto

4.1. GotPhoto processes personal data exclusively as contractually agreed or as instructed by the Photographer, unless GotPhoto is legally required to process personal data in a certain way. If such legal requirements exist, GotPhoto will inform the Photographer before processing any data, provided that the communication is not prohibited by law.

4.2. GotPhoto confirms that it is aware of the applicable data protection regulations.

4.3. GotPhoto and its employees are committed to keeping all personal data confidential.

4.4. GotPhoto will assist the Photographer, taking into account the nature of the processing and the information available to it, in drawing up and updating the list of processing activities and in complying with the obligations set out in articles 32 to 36 of the GDPR. However, GotPhoto will only provide assistance by sharing information using GotPhoto communication channels (e.g., customer support channel, website, etc.).

4.5. If data subjects assert rights, GotPhoto undertakes to assist the Photographer with suitable technical and organisational measures to respond to data subject requests to the extent necessary to comply with its obligations as a data processor.

4.6. GotPhoto will only inform data subjects or third parties directly with the prior consent of the Photographer. GotPhoto will forward data subject requests addressed to it immediately to the Photographer.

4.7. Personal data is processed exclusively on the territory of the Federal Republic of Germany, in a member state of the European Union or the European Economic Area. Any transfer to a third country may only take place if the special requirements of art. 44 et seq. of the GDPR are met.

4.8. If the Photographer acts as a processor, he will seek the appropriate permission to engage subprocessors in third countries. If the Photographer acts as a controller, he agrees to the use of subprocessors in third countries and authorises GotPhoto to implement the EU Standard Contractual Clauses with these subprocessors, where necessary. Before engaging subprocessors in a third country, GotPhoto will inform the Photographers in text form about the subprocessor and the intended processing activities.

4.9. GotPhoto is required to implement Module 3 of the new EU Standard Contractual Clauses (Processor to Processor) with all subprocessors, if and to the extent that a data transfer to a third country takes place in the context of the subprocessing. GotPhoto must include the foregoing obligation in any processing agreement with a subprocessors.

5. Technical and Organisational Measures

5.1. GotPhoto takes the necessary measures required under art. 32 GDPR. Considering the state of the art, the implementation costs and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, GotPhoto will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

5.2. The data security measures displayed at www.gotphoto.co.uk/dpa-attachments at the time the contract is concluded shall apply. They define the minimum level of security measures to be implemented by GotPhoto.

5.3. The data security measures can be adapted in accordance with technical and organisational developments as long as the level agreed does not deteriorate. Changes will be communicated to the Photographer by e-mail or within a global means of communication within the GotPhoto system (e.g. Newsfeed).

5.4. GotPhoto will ensure that the personal data processed under this agreement will be strictly separated from other data. The logical separation of data is sufficient.

5.5. Data storage media originating from or used by the Photographer or his customers will be specifically marked and subject to ongoing monitoring. Such media will be properly stored at all times and must not be accessible to unauthorised persons.

6. Correction, Erasure and Blocking of Data

6.1. GotPhoto will only correct, erase or block personal data processed in accordance with this agreement or the instructions of the Photographer.

6.2. GotPhoto will follow the instructions of the Photographer at all times, unless GotPhoto believes that such instructions violate legal regulations (e.g. accounting regulations for the storage of billing data).

7. Subprocessing

7.1. The subprocessors listed at www.gotphoto.co.uk/dpa-attachments with their name, address and processing activities, are engaged in the processing of personal data to the extent specified. By accepting the terms of this agreement the Photographer approves the subprocessors listed. GotPhoto’s obligations related to the subprocessors set forth in this agreement remain unaffected.

7.2. The Photographer agrees to GotPhoto engaging subprocessors. Before contracting or replacing a subprocessor, GotPhoto will inform the Photographer via a global means of communication within the GotPhoto system (e.g. Newsfeed) about the new subprocessor.

7.3. The Photographer has the right to file a written objection against the engagement of the subprocessor for material reason within two weeks of receiving information about the new subprocessor. If no objection is raised within the specified period, Photographer will be deemed to have consented to the new subprocessor.

7.4. GotPhoto must ensure that the contract with the subprocessor contains the same data protection obligations stipulated in this agreement and check compliance by subprocessor regularly.

7.5. Photographer must be able to effectively exercised his rights against any subprocessor. In particular, the Photographer must have the contractual right to carry out inspections of subprocessors at any time, to the extent specified herein, or appoint a third party to conduct such inspections.

7.6. GotPhoto selects subprocessors carefully, with particular regard to the suitability of the technical and organisational measures taken by the subprocessor.

7.7. The sharing of personal data processed under this agreement with the subprocessor is only permissible if GotPhoto is convinced that the subprocessor fully complies with its data protection obligations.

7.8. GotPhoto may use subprocessors in third countries. Section 4.9. of this agreement will apply.

7.9. If the subprocessor does not comply with its data protection obligations, GotPhoto will be liable to the Photographer.

8. Rights and Obligations of the Photographer

8.1. The Photographer, or if the Photographer acts as a processor, then the data controller, are responsible to determine whether the data processing takes place in accordance with legal regulations and the rights of the data subjects are protected.

8.2. If required under applicable law, the Photographer will obtain the consent from the data subject and if the data subject is a minor, from the minor’s parent(s) or legal guardian, for the processing of personal data for the purposes specified in this agreement.

8.3. The Photographer has the right to verify GotPhoto’s compliance with data protection regulations and contractual arrangements personally or by engaging third parties. The Photographer may, in particular, request information, view stored data and data processing programs and conduct on-site inspections. Any persons entrusted with the audit should be allowed access by GotPhoto. GotPhoto is required to provide the necessary information, demonstrate procedures and provide any evidence necessary to conduct an inspection. An inspection can be carried out upon two weeks’ notice to GotPhoto.

8.4. Photographer must ensure that any audit conducted will not disrupt GotPhoto’s business operations. Unless Photographer provides proof of an emergency, an audit can only be conducted upon reasonable prior notice, during the business hours of GotPhoto, and no more than once every 12 months. Provided that GotPhoto shows it complies with all data protection obligations, an audit must be supported by and can only be conducted based on a justified reason expressed by the Photographer.

9. Reporting Obligations

9.1. GotPhoto will inform the Photographer immediately of a personal data breach. The communication must contain at least the information specified in Art. 33 (3) GDPR.

9.2. GotPhoto will also report any violations of data protection regulations or provisions of this agreement by GotPhoto or its employees.

9.3. GotPhoto informs the Photographer immediately of audits or measures taken by supervisory authorities or other third parties, insofar as these relate to data processing.

9.4. GotPhoto will assist the Photographer to comply with his obligations under art. 33 and 34 GDPR. This assistance solely encompasses existing processes and information within the GotPhoto system as well as information relating to the data processing carried out by GotPhoto on behalf of the Photographer.

10. Instructions

10.1. The Photographer reserves the right to give instructions regarding the processing of personal data.

10.2. Instructions can be sent to datenschutz@fotograf.de. In urgent cases, instructions may be given verbally to GotPhoto’s phone support. The Photographer will confirm such instructions immediately in a documented manner.

10.3. GotPhoto will inform the photographer promptly if it believes that instructions given by the Photographer violate any law or are unreasonable. GotPhoto is entitled to suspend execution of the relevant instruction until it is confirmed or changed by the Photographer.

10.4. GotPhoto must document instructions given to it and their implementation.

11. Termination of the Agreement

11.1. Upon termination of the agreement or upon request by the Photographer at any time, GotPhoto will destroy the personal data processed on behalf of the Photographer. Furthermore, any existing copies of the personal data will be destroyed. The destruction of the personal data must be executed in a way that circumvents the recovery of residual data.

11.2. GotPhoto must ensure that any subprocessors immediately return or delete the personal data processed by them.

11.3. Documentation that serves as proof of proper data processing must be retained by GotPhoto in accordance with the respective storage periods, even after the end of the agreement. 

12. Termination for Cause

12.1. The Photographer may terminate the Principal Contract and this agreement at any time (“Termination for Cause”) in the event of a serious breach by GotPhoto of the terms of this agreement, or if GotPhoto refuses to grant the Photographer the audit rights stipulated in this agreement.

12.2. A violation is deemed serious, if GotPhoto does not fulfil material obligations stipulated in this agreement, in particular the implementation of the agreed technical and organisational measures.

12.3. The Photographer will allow GotPhoto to remedy the serious breach. If the remedial action does not occur in a timely manner, as established between the parties, the Photographer is entitled to terminate for cause.

12.4. GotPhoto shall have the right to terminate for cause if the Photographer objects to the engagement of a subprocessor in accordance with Chapter 7 of this agreement.

13. Liability

The liability of the parties is defined in art. 82 GDPR.

14. Miscellaneous

14.1. Either party will treat the proprietary information and the data security measures of the other party as confidential. In case of doubt as to whether the information is subject to confidentiality, it must be treated as confidential until a written statement of release from confidentiality is provided by the other party. The obligation of confidentiality shall survive the termination of this agreement. Both parties are entitled to use information resulting from this agreement for the purpose of exculpation under art. 82 para. 3 GDPR and disclose the necessary information to third parties strictly for the purpose of aforementioned exculpation.

14.2. Any additional agreements between the parties must be made in writing.

14.3. The right to retain personal data in any form in accordance with section 273 GCC is excluded.

14.4. If a clause or chapter of this agreement is found to be invalid by a court of law, this shall not affect the validity of any other clause or chapter of this agreement.

14.5. This agreement shall be governed by the law of the Federal Republic of Germany. Any dispute arising from this agreement shall be resolved by the courts of the Federal Republic of Germany.

Note: This data protection agreement is valid without signatures of the parties and will come into effect when the Photographer agrees to GotPhoto’s general terms and conditions, which reference and include this data protection agreement.

Annex 1 – Processing Details

1. Photographer as a Controller

1.1. Nature and purpose of processing

The nature and purpose of the processing of personal data by GotPhoto are derived from the Principal Contract. This includes the following activities:

These activities serve the following purposes:

1.2. Type of personal data

The following data can be processed:

This data is provided by the Photographer within the GotPhoto system or by the Photographer’s customers within the online store during the order process.

1.3. Categories of data subjects

2. Photographer as a Processor

2.1. Nature and purpose of processing

The nature and purpose of the processing of personal data by GotPhoto are derived from the Principal Contract. This includes the following activities: 

The purposes of these processing operations are:

2.2. Type of data

The following data are processed:

This data is provided by the Photographer within the GotPhoto system. 

2.3. Categories of data subjects

The persons concerned by the processing are:

Last update: 01/07/2024

Download the Data Protection Agreement