DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) is hereby entered by and between Pic-Time Ltd. (collectively “ Company”) and the Photographer. Each a "party" and collectively, the "parties", and is an integral part of the Terms of Service executed between the parties (“Terms”). Capitalized terms used herein and not defined herein shall have the respective meanings given to them in the Terms. This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties and under the Terms.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN .
The Photographer hereby accepts and agrees that the Company does not have a direct relationship with the Data Subject (i.e., the Customers). The Photographer therefore undertakes to obtain a proper affirmative act of consent from Data Subjects in the event required in accordance with applicable Data Protection Law and display relevant notices and adhere to any and all applicable privacy requirements in order to allow the Company to Process Personal Data as set out herein and for the transferring of Personal Data to the Company or otherwise, where applicable.
It is agreed that where the Company receives a request from a Data Subject or an applicable authority in respect to the Photographer Data Processed by Company, where relevant, the Company will direct the Data Subject or the applicable authority to the Photographer in order to allow the Photographer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law and applicable law.
Company shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Personal Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.
It is hereby agreed that any sharing of Personal Information between the parties is made solely in order to fulfill a Business Purpose and the Company does not receive or process any Personal Information as consideration for the Service. Thus, such Processing of Personal Information shall not be considered a Sale under the CCPA.
In the event of a conflict between the terms and conditions of this DPA and the Terms, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Terms shall remain in full force and effect.
AnneX I
DETAILS OF PROCESSING AND TRANSFERRING OF PHOTOGRAPHER PERSONAL DATA
This Annex I include certain details of the Processing and transferring of Personal Data as required by Article 28(3) GDPR and the transferring Personal Data subject to the Standard Contractual Clauses.
Categories of data subjects whose personal data is processed or transferred:
Categories of personal data processed and transferred:
Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Continuous and one-off depending on the transfer.
Nature of Purpose(s) for the processing and transferring on behalf of the controller:
Storage and providing the Service as set forth in the Terms.
Duration of the processing:
For the duration of the Service in accordance with the Terms and the period from the end of the termination of the Terms until the deletion of all of the Photographer Data.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The sub-processors are mainly storage providers, all of the above is applicable to the sub-processors.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
(I) General Background:
This Technical and Organizational Measures Annex sets out the measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, the measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the measures taken for user identification and authorization as well as the measures taken for the protection of data during storage and during transmission.
(II) Specification
System Access Control
Access to the Company’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. The Company has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. The Company uses automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.
Physical Access Control
The Company ensures the protection of the data servers which store the Personal Data for the Company from unwanted physical access.
The data processed by the Company is stored on Microsoft Azure's servers which are located in the EU, the US and Australia and MongoDB’s servers. Please see Azure’s security measures here and MongoDB’s security measures here. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. The Company also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access the Company’s offices by using security locks and an alarm system, amongst other measures as well.
Data Access Control
User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Furthermore, the Company conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. The Company revokes access to Personal Data immediately upon termination of employment. Authorized individuals can only access Personal Data that are located in their individual profiles.
Organizational and Operational Security
The Company puts a lot of effort and invests a lot of its resources into ensuring that the Company’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. The Company strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, the Company has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable Company hardware and software, in order to protect against malicious software.
Transfer Control
The Company will conduct transfer impact assessments (“TIA ”) if required by applicable law with respect to all transfers of Personal Data and is able to share the TIA upon a Photographer’s or Customer’s request. The purpose of a transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of such Personal Data or during its transportation or storage in the applicable data center. Furthermore, any and all transfers of the Personal Data (either between the Visitors, the Photographers, the Customers, the Company’s service providers and the Company’s servers) is secured and encrypted. Default encryption is implemented in transit and at rest.
Availability Control
The Company maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, the Company’s servers include an automated backup procedure. The Company also conducts regular controls of the condition and labelling of data storage devices for data security. The Company ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.
Data Retention
Personal Data is retained for as long as needed for us to provide our Service or as required under applicable laws.
Job Control, Third-Party Contractors And Service Provider
All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company implements certain repercussions in order to ensure compliance with the Company’s policies. In addition, prior to the Company’s engagement with third party contractors, the Company undertakes diligence reviews of such third-party contractors. The Company agrees with third party contractors on effective rights of control with respect to any Personal Data processed on behalf of the Company. The Company ensures that it enters into data protection agreements with all of its clients and service providers.
Data Subject Request
The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), furthermore, the Company has implemented internal policies to handle DSRs, subject to applicable data protection laws and contractual obligations.
Contractual Obligations
The Company has ensured all documents, including without limitations, agreements (including online agreements) and privacy policies are compliant with applicable Data Protection Regulation, including, by implementing Data Processing Agreements and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).
Additional Safeguards
Measures and assurances regarding U.S. government surveillance (“ Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“ Schrems II”), these measures include the following:
Annex III
List of Sub-Processors
Name |
Address |
Server location |
Description of the processing |
Atkins Photo Lab |
89 Fullarton Road Kent Town, Australia |
Australia |
Photograph and Product Development |
Microsoft Azure |
1 Microsoft Way, WA, US |
EU, US, Australia |
Cloud infrastructure services and storage |
MongoDB, Inc. |
Main U.S.A HQ:
1633 Broadway
|
US |
Cloud infrastructure services and storage |
Bay Photo Lab |
920 Disc Drive, Scotts Valley, CA 95066 USA |
USA |
Photograph and Product Development |
Dekora Album Co. |
3952 Chesswood Dr, North York, ON M3J 2P6, Canada |
USA |
Photograph and Product Development |
Dutch Ink Albums Chamber of Commerce number: 66877431 |
Hoge Rijndijk 9B 3449HB Woerden, The Netherlands |
EU |
Photograph and Product Development |
Floriano da Costa & Gavina Lda |
NIPC 501 245 596, Rua de Cidres 1586, 4455-442 Perafita, Matosinhos, Portugal |
Portugal |
Photograph and Product Development |
Folio Albums Ltd. |
7B Shortwood Court
|
USA |
Photograph and Product Development |
GTA Imaging |
80 St. Regis Crescent North North York, ON M3J 1Z3, Canada |
Canada |
Photograph and Product Development |
Giclee Art |
Via C. Rispoli 319 71016 San Severo FG, Italy |
EU |
Photograph and Product Development |
Indie Print Company |
USA |
USA |
Photograph and Product Development |
Kiss Wedding Books, LLC |
USA |
USA |
Photograph and Product Development |
La Rousse |
USA |
USA |
Photograph and Product Development |
Loxley Colour |
1 Drum Mains Park Orchardton Woods Glasgow, G68 9LD, UK |
USA, UK |
Photograph and Product Development |
Miller's Professional Imaging Co. |
1712 East Pointe Dr. Columbia, MO 65201, USA and 610 E. Jefferson Pittsburg, KS 66762, USA |
USA |
Photograph and Product Development |
Momento |
15-17 Merton St
|
Australia |
Photograph and Product Development |
Musea |
877 Seven Oaks Blvd #520
|
USA |
Photograph and Product Development |
CYFROWA FOTO SP. Z O.O. |
190 Zaczernie, 36-062 Zaczernie
|
Poland |
Photograph and Product Development |
Prints by DKJ |
Slöjdgatan 2
|
EU |
Photograph and Product Development |
Profotonet |
Rietbaan 17
|
EU |
Photograph and Product Development |
Digito Marcin Bittner |
Obywatelska 37, 33-100 Tarnów, Poland, VAT: PL8732909530 |
EU, USA |
Photograph and Product Development |
RedTree Albums |
13030 Eastgate Park Way Louisville, KY 40223, USA |
USA |
Photograph and Product Development |
Richard Photo Lab |
21515 Centre Pointe Pkwy Santa Clarita, CA 91350, USA |
USA |
Photograph and Product Development |
Sim Imaging |
Unit 8, The I O Centre, Hearle Wy, Hatfield AL10 9EW, United Kingdom |
UK |
Photograph and Product Development |
Seldex Artistic Albums |
397 Victoria Street
|
Australia |
Photograph and Product Development |
SnapAlbums Marcin Bittner ul. |
Obywatelska 37 33-100 Tarnów NIP 8732909530, REGON 120174129, Poland |
Poland |
Photograph and Product Development |
The Print House |
1 HaZerem, Tel-Aviv-Yafo, Israel |
Israel |
Photograph and Product Development |
Trig Point Print and Frame Ltd. |
Diamond Harbour, Canterbury, New Zealand, 8971 |
New Zealand |
Photograph and Product Development |
White House Custom Colour |
Eagan, MN, USA |
USA |
Photograph and Product Development |
WB Street Ltd./ Wooden Banana |
62 Huntly Gardens
|
Poland |
Photograph and Product Development |
PayPal, Inc. |
2211 North First Street
|
US |
Payment Processing |
Stripe, Inc. |
510 Townsend Street San Francisco, CA 94103, U.S.A. and Dublin, Ireland |
EU and US |
Payment Processing |
Block, Inc. (Square) |
1455 Market Street, Suite 600 San Francisco, CA 94103, U.S.A |
USA, Canada, Japan, and the EU |
Payment Processing |
BlueSnap, Inc. |
800 South St, Suite 640, Waltham, MA, USA |
USA, UK |
Payment Processing |
Twilio Inc. |
375 Beale Street Suite 300 San Francisco, CA 94105 USA |
USA |
Email Marketing |
Intuit Inc. (mailchimp) |
2632 Marine Way, MS2700
|
USA |
Email Marketing |
Intercom |
55 2nd Street, 4th Fl., San Francisco, CA 94105, USA |
USA |
Customer Support |
OpenAI |
3180 18th St, San Francisco, California, 94110, United States |
USA |
Content creation services |
Userflow, Inc. |
San Francisco, California, USA |
USA |
Customer Support and service provision |