Data Processing Agreement

Last updated: 12 December 2024

This is the data processing agreement (the DPA) of GoPhoto B.V. (GoPhoto).

In the execution of the (master) services agreement between the Parties (the Agreement), GoPhoto processes Personal Data on behalf of the Partner. The Partner and GoPhoto are therefore under an obligation to conclude the DPA. GoPhoto and the Partner are both a party to this DPA.

  1. Definitions
    Capitalised terms in this DPA shall have the meaning as set out in Annex 5.1 or if not found in Annex 5.1, it shall have the meaning as set out in the Agreement.
  2. Subject of the DPA
    1. This DPA is an addition to the Agreement. In the event of a conflict regarding the processing of Personal Data, the terms of this DPA will prevail over the terms of the Agreement, Parties’ privacy policies, or the terms of any other agreement entered into between the Parties.
    2. The terms of this DPA apply to all the processing of Personal Data by Parties in connection with the execution of the Agreement.
    3. The Partner acts as a controller (also called a ‘data controller’), in the sense of the GDPR. This means that the purpose and the means of the processing of personal data are determined by the Partner, and that the Partner uses this data for its own personal purposes.
    4. GoPhoto acts as a ‘processor’ in the sense of the GDPR. This means that GoPhoto only processes the personal data supplied by the Partner in accordance with the Partner’s written instructions, as described in this DPA or Agreement. GoPhoto shall not process the data for its own personal purposes.
  3. Execution of the Processing
    1. In the execution of the Services, GoPhoto will handle the Personal Data in a careful manner and only process the Personal Data based on the assignment of the Partner, in accordance with its written instructions and in accordance with the Agreement, this DPA, and the GDPR.
    2. GoPhoto will not process the Personal Data for any other purpose than as determined by the Partner. GoPhoto has no control over the purpose and means of the processing of the Personal Data.
    3. GoPhoto further guarantees that every person acting under its authority will process the Personal Data lawfully and in accordance with this DPA and the GDPR.
    4. At the request of the Partner, GoPhoto will provide the Partner with information about the (security) measures taken in order to comply with the obligations under the GDPR, the Agreement, this DPA, and other instructions from the Partner.
  4. Warranty Partner
    The Partner guarantees the processing of the Personal Data of the Data Subjects, as referred to in this Agreement, is not unlawful and does not violate the rights of others. The Partner indemnifies GoPhoto against all claims relating to this.
  5. Transfer of Personal Data
    1. If the Partner is situated outside the European Union, GoPhoto shall still process the Personal Data in accordance with the GDPR.
    2. GoPhoto shall, at the request of the Partner, notify them in which countries it processes personal data for the benefit of the Partner.
  6. Security Measures
    1. GoPhoto implements all appropriate technical and organisational measures to prevent loss of personal data or any form of unlawful processing. These measures shall guarantee an adequate level of protection of the personal data being processed.
    2. GoPhoto will at least take the security measures as set out in Annex 2.
    3. GoPhoto shall provide the Partner with all available information to provide the Partner assistance in carrying out security measures, conducting audits and inspections, and carrying out data protection impact assessments.
  7. Security Incidents
    1. GoPhoto will report any theft, loss, misuse, or other form of data breach to the Partner as soon as possible. This report includes, as far as possible, at least the following: the nature of the breach, the categories and scope of the personal data concerned, the likely consequences of the data breach, the measures GoPhoto has taken, and the contact details for the Partner to obtain more information.
    2. If needed, GoPhoto will fully cooperate to inform the authorities and Data Subjects about such security incidents or data breaches. In addition, GoPhoto will fully cooperate in carrying out risk assessments, analysing the cause of the incident or breach, identifying required corrective measures, and implementing those measures.
  8. Duration and Termination
    1. This DPA constitutes an integral part of the Agreement and shall automatically terminate upon termination of the Agreement.
    2. The Parties cannot terminate this DPA independently from the Agreement. If the Agreement is terminated, then this DPA will also be automatically terminated.
    3. If this DPA is terminated or dissolved, Parties must continue to comply with the provisions of this DPA regarding confidentiality, liability, indemnification, and all other provisions that are intended by nature to remain applicable between the parties after termination or dissolution of this DPA.
    4. If this DPA is terminated or dissolved, GoPhoto will return all data, including personal data, which are processed by GoPhoto based on the Agreement, to the Partner at their request. Upon request, GoPhoto shall, within 2 months of termination of the DPA, safely remove or destroy all personal data, including any copies of it, unless GoPhoto is legally obliged to store the personal data for a longer period.
  9. Confidentiality and Non-Disclosure
    1. GoPhoto will treat all Personal Data and other data received from the Partner as confidential. GoPhoto will limit access to this data to persons working for GoPhoto who need access to correctly process the data on behalf of the Partner.
    2. All Personal Data GoPhoto receives based on the Agreement or the DPA are subject to a non-disclosure obligation towards third parties. All persons employed by or working for GoPhoto, as well as GoPhoto itself, are required to maintain secrecy regarding the personal data.
    3. GoPhoto will not provide third parties with the personal data, copy, multiply, or otherwise make the personal data public without permission from the Partner.
  10. Rights of Data Subjects
    1. GoPhoto will assist the Partner with all requests received from Data Subjects, such as the right to access, rectification, or erasure.
    2. If GoPhoto receives a request from a third party to provide access to the Personal Data based on an alleged legal obligation, GoPhoto will inform the Partner in writing before providing the third party access so the Partner can assess whether the request is legitimate.
  11. People Working Under the Authority of GoPhoto
    The obligations for GoPhoto arising from this Agreement also apply to those who process personal data under the authority of GoPhoto, including but not limited to employees.
  12. Sub-Processors
    1. GoPhoto may sub-contract the processing of the personal data to external parties. GoPhoto has sub-contracted (part of) the processing of the personal data to the following Sub-Processors: @
    2. GoPhoto may appoint new Sub-Processors for the processing of the personal data. GoPhoto will notify the Partner of the addition or replacement of any Sub-Processors. The Partner is then also offered the possibility to object to this. In addition, the Partner may request an overview of all appointed Sub-Processors.
  13. Liability and Indemnification
    1. GoPhoto is responsible for all Personal Data (or other data) that the Partner has shared with GoPhoto. GoPhoto indemnifies the Partner against all claims by third parties or fines by an authority because of the transfer of this Personal Data.
    2. The limitations of liability as set out in Article 8 of the Terms (Indemnification, Liability, and Insurance) apply to any liability resulting from this DPA or the use of the Personal Data.
  14. Miscellaneous and Dispute Resolution
    Articles 15 and 16 of the Terms are inter alia applicable to this DPA.

ANNEX 5.1 – Definitions

Definition Explanation
Agreement The (master) services agreement between the Parties.
Data Subjects The visitors to the Partner’s Location of which personal data is collected on the basis of the Agreement; data subjects within the meaning of what is specified in the GDPR.
DPA This data processing agreement, applicable between Parties.
GDPR General Data Protection Regulation.
Parties GoPhoto and Partner referred to jointly.
Partner The Partner with the details as set out in the Agreement.
Personal Data Data which can be used either directly or indirectly to identify a natural person, as intended in the GDPR. In relation with Partner, the processed personal data concern:

  • Photographs (biometrical data); and
  • Contact & Payment data.
Purposes of processing The purpose of the data processing as subject of this DPA is limited to servicing the customers of Partner with a photo memory.
Sub Processors Third parties, engaged by GoPhoto for the processing of personal data for the benefit of the Partner.

ANNEX 5.2 – Security measures

Measures Explanation
Encryption Encryption of digital files containing Personal Data.
Anonymization GoPhoto extracts information from the photos of visitors through facial recognition software. This information is combined by GoPhoto into group data, separated from the biometrical data and subsequently stored anonymously. In this way, there is no link anymore between the visitor statistics and the Data Subjects.
Access restriction The access to the Personal Data is restricted to the authorized employees on a need-to-know basis.
Transport Layer Security Secure network connections with Transport Layer Security (TLS) technology or a non-deprecated technology that is similar to TLS.
Non-disclosure Non-Disclosure Agreements (NDA’s) are concluded in the event that confidential information is exchanged.
Maintaining measures Process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.