Submission of a Data Processing Agreement (DPA) between the photographer, institution or family as a means of obtaining parental consent
Date of last update: 30.03.2023
- Introduction, Scope of Application, Definitions
- Why this contract?
- School and nursery photography has become common place in many childcare facilities. To maintain this practice, adjustments are required to comply with new statutory provisions concerning the handling of personal data. This contract regarding third party data processing on behalf of a data controller ensures that the activities of the Photographer and the provision of photographs from the photographing of children complies with the applicable regulations of the United Kingdom General Data Protection Regulation (UK GDPR).
- The protection of children’s/pupils’ data and, above all, their photographs, is of the greatest importance.
- What are the advantages of this contract?
- This contract ensures that the photographing of children and provision of photographs takes place in accordance with the provisions of the UK GDPR.
- You control the entire process from taking the images to supplying them to the parents.
- What is excluded from this contract?
- Ordering, production and shipment of photo products is excluded from this contract. These are the subject of direct agreement between the parents and the Photographer when items are purchased from the online shop.
- Agreements with the legal guardians of the photographed children also fall outside this contract.
- Why this contract?
1.4 Scope of Application and Definitions
- This contract applies to all activities in which the Photographer, the Photographer’s staff or the Photographer’s subcontractors process the personal data of children attending the School/Nursery.
- Terms used in this contract shall be interpreted in accordance with their definition in the UK GDPR. If any declarations referred to below are required to be made “in writing”, that includes fax or email (but not text message or other electronic format) and must include a signature. Otherwise, declarations may be made in another form if they are deemed to provide sufficient evidence of the declaration.
The legal justification for the Photographer processing personal data is contractual, based on the School/Nursery commissioning the Photographer to photograph children/pupils (referred to below as the “Main Contract” – which may also be entered into orally) in respect of whose data the School/Nursery is a data controller having the right to transfer that data in accordance with this agreement.
The commission only refers to the taking of pictures and the password protected provision of them for sale via the online shop. https://lisavictoriaphotography.gotphoto.co.uk/ All steps of any sale between the Photographer and the legal guardian are governed as described in clause 1.3 a) above.
Processing begins with the first transfer of personal data to the Photographer and continues for an indefinite period until notice is given to terminate this contract or the commission of the Photographer by the School/Nursery. Upon request of the School/Nursery, the data collected under this contract will be deleted.
For clarification purposes, if the persons with parental responsibility for a child/pupil or a pupil of full age give a separate consent to the Photographer to process the data of the relevant child/pupil beyond the end of this contract, or beyond the commission of the Photographer, the relevant data may be processed even after this contract ends. Such processing will no longer be subject to the provisions of this contract.
- Type and purpose of processing
Personal data will be processed for the purpose of undertaking and handling school and nursery photography within the School/Nursery, as well as processing the photographs and providing them for online sale.
- collection of personal data in the course of photography,
- adjustments and alterations in the course of image processing,
- transfer to other servicer providers,
- password protected provision of the photographs for online sale.
- Type of data
The following data is processed:
- individual and group photographs of the children/pupils
- name of the group or class of children/pupils
- if notified by the School/Nursery: the children’s/pupils’ first and surnames.
This data is provided by the School/Nursery under the provisions of this contract.
- Categories of data subjects
Data subjects affected by the processing are:
Pupils/children cared for by the School/Nursery.
- Obligations of the Photographer
- The Photographer will only process the personal data as contractually agreed or separately directed by the School/Nursery, unless statute requires the Photographer to undertake any particular processing. If such statutory obligations exist, the Photographer will notify the School/Nursery prior to processing, unless statute prohibits him from providing this notification.
- The Photographer guarantees that he and his staff have undertaken to maintain data confidentiality.
- In connection with the third-party processing commissioned, the Photographer (taking the type of processing and information at his disposal into consideration) must support the School/Nursery to prepare and update its record of processing activities and comply with the duties specified in Articles 32 to 36 of the UK GDPR.
- If any relevant person asserts any rights in relation to the processing of data under this agreement, the Photographer undertakes to the School/Nursery that, subject to the right asserted or any allegation made, if a third party processing data on behalf of the School/Nursery is involved, the Photographer will support the School/Nursery to the extent required with suitable technical and organisational measures when responding to such assertions or allegations.
- The Photographer may only provide information to additional third parties or persons concerned with the prior consent of the School/Nursery. He will forward any requests made directly to him to the School/Nursery without delay.
- The processing of the data shall in principle take place in the territory of the United Kingdom. Any transfer to a third country may only take place if the special requirements of Art. 44 et seqq. UK GDPR are fulfilled.
- Technical and organisational measures
- The Photographer will implement the measures required under Article 32 UK GDPR. Considering the state of the art, the scope, context and purposes of the processing and the varying likelihood and severity of risk to the rights and freedoms of natural persons, the Photographer will implement appropriate technical and organisational measures to guarantee a level of security appropriate to the risk.
- The data security measures described in Appendix 1 are binding. They define the minimum obligations of the Photographer.
- The data security measures can be adjusted in accordance with further technical and organisational developments, provided that they do not fall short of the level of security agreed here. Changes must be notified to the School/Nursery by email without delay. Significant changes must be agreed between the parties.
- The Photographer guarantees that the data processed on behalf of the School/Nursery is kept strictly separate from other databases and is adequately protected.
- Dedicated data storage media originating from or used for the School/Nursery, will be specially identified and subject to on-going management. They must be stored appropriately and must not be accessible to third parties.
- Provisions relating to the correction, erasure and blocking of data
- Data processed on behalf of the School/Nursery will only be corrected, deleted or blocked by the Photographer in accordance with the agreement entered into or on instruction by the School/Nursery.
- Such instructions from the School/Nursery will always be followed by the Photographer.
- The School/Nursery authorizes the Photographer to make use of other subcontractors in accordance with the following subsections in Sect. 6 of this Agreement. This authorization shall constitute a general written authorization within the meaning of Art. 28 (2) UK GDPR.
- The Photographer currently works with the subcontractors specified in Appendix 2 and the School/Nursery hereby agrees to their appointment.
- The Photographer shall be entitled to appoint or replace other subcontractors. The Photographer shall inform the School/Nursery in advance of any intended change regarding the appointment or replacement of other subcontractors by email. The School/Nursery has the right to object to an intended change.
- The objection to the intended change must be lodged with the Photographer within two weeks after receipt of the information of the change in writing. In the event of an objection, the Photographer may, at his own discretion, either provide the service without the intended change or propose an alternative subcontractor and coordinate it with the School/Nursery. Insofar as the provision of the service is unreasonable for the Photographer without the intended modification – for example, due to the associated disproportionate costs for the Photographer – or the agreement on an alternative subcontractor fails, the School/Nursery and the Photographer may terminate this Agreement as well as the Main Contract with a notice period of one month to the end of the month.
- A level of protection comparable to that of this contract must always be guaranteed when other subcontractors are involved. The Photographer is liable to the Nursery/School for all acts and omissions of subcontractors it appoints.
- Rights and obligations of the School/Nursery
- As the data controller, the School/Nursery alone is responsible for assessing whether the commissioned third party processing is permitted and for safeguarding the rights of data subjects.
- The School/Nursery shall place all orders, part orders or instructions documented in the form of at least an email. In urgent cases, instructions may also be given orally but such instructions will be confirmed in writing by the School/Nursery without delay.
- Where applicable, the School/Nursery guarantees that it has obtained or will obtain a declaration of consent to the processing of a minor’s personal data for the purposes specified in this contract from the child’s/pupil’s legal guardian.
- The School/Nursery is entitled, to an extent that is appropriate, to monitor - or arrange for a third party to monitor - the Photographer’s compliance with data protection provisions and the contractual agreements, in particular by obtaining information and inspecting stored data and data processing programs, as well as other on-site controls. The Photographer must allow the person entrusted with monitoring to enter and inspect as far as is necessary. The Photographer is obliged to provide information, demonstrate procedures and provide evidence as required to enable monitoring.
- Any monitoring of the Photographer must take place after prior notification in good time and without avoidable disruption to his business operations. Unless otherwise required for urgent reasons (to be documented by the School/Nursery), monitoring should take place after appropriate prior notice during the Photographer’s business hours and not more than once every 12 months. Provided the Photographer supplies evidence that the agreed data protection obligations are correctly implemented, monitoring should be restricted to spot checks.
- Notification obligations
- The Photographer shall inform the School/Nursery of any personal data breaches without delay. Notification must also be given in cases where there is justified suspicion of a breach. The notification must at least contain the details referred to in Article 33 (3) UK GDPR.
- Significant disruptions to the completion of the commission and infringements of data protection provisions or the provisions of this contract by the Photographer or persons employed by him must also be notified without delay.
- The Photographer will inform the School/Nursery without delay of any monitoring or measures taken by supervisory authorities or other third parties if these relate to order processing.
- The Photographer guarantees that it will support the School/Nursery to the extent necessary in order for the School/Nursery to comply with its obligations pursuant to Articles 33 and 34 UK GDPR.
- The School/Nursery reserves a comprehensive right to give instructions in relation to third party data processing on its behalf.
- The School/Nursery and the Photographer appoint the persons in Appendix 3 who are exclusively authorised to give and accept instructions.
- The Photographer will inform the School/Nursery without delay if he is of the opinion that an instruction given by the School/Nursery infringes statutory provisions. The Photographer is entitled to suspend the relevant instructions until the School/Nursery confirms or changes them.
- The Photographer must document the instructions given to him and their implementation.
- Termination of the assignment
- Upon termination of the contract or at the request of the School/Nursery, the Photographer must either destroy the data processed on behalf of the School/Nursery or transfer it to the School/Nursery. All existing copies of the data must likewise be destroyed. Destruction must ensure that the recreation of the data – including the recreation of residual information – is no longer reasonably possible.
- The Photographer is obliged to ensure that subcontractors also immediately return or delete the data.
- Documentation that serves as proof of proper data processing must be kept by the Photographer according to the relevant retention periods even after the end of the contract. The Photographer can discharge this obligation by giving this documentation to the School/Nursery at the end of the contract.
- Special right of termination
- If there is a serious infringement of data protection provisions or the provisions of this agreement by the Photographer or the Photographer cannot or will not comply with a lawful instruction from the School/Nursery or the Photographer refuses to permit the School/Nursery to exercise its monitoring rights in breach of contract, then the School/Nursery can give notice to terminate the main contract and this agreement at any time without notice (“extraordinary termination”).
- Without limitation, a serious infringement exists if the Photographer is not fulfilling or has not fulfilled the obligations agreed in this contract to a significant extent, in particular with regard to the agreed technical and organisational measures.
- In the event of insignificant infringements, the School/Nursery will set an appropriate time limit for the remedying of the infringement. If the infringement is not remedied in time, the School/Nursery is entitled to extraordinarily terminate the agreement as described in this clause.
- The Photographer has a right of extraordinary termination if the School/Nursery objects to the instruction of a subcontractor in accordance with clause 6 of this contract and no agreement can be reached.
- The provisions of Article 82 UK GDPR apply with regard to any affected party’s rights to compensation and the respective liabilities of the School/Nursery, the Photographer and any third-party processor.
- Both parties undertake that they will keep confidential (including after the end of the contract) any knowledge obtained in the course of the contractual relationship in respect of the business secrets and data protection measures of the other party. If doubt exists as to whether certain information is subject to the duty of confidentiality, it must be handled as confidential until written clearance from the other party is obtained. Both parties are entitled to use information from this contract and disclose it to third parties for the purpose of exercising the exemption from liability provision in Article 82 (3) UK GDPR.
- Any variation of this agreement and any agreement ancillary to this agreement shall only be effective if made in writing and signed by the parties (or their authorised representatives).
- The Photographer holds no lien in respect of data commissioned to be processed on behalf of the School/Nursery and the data storage media pertaining to it.
- If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this agreement.
- This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of England and Wales.
The minimum technical and organisational measures for guaranteeing data protection and data security that must be established and maintained on an on-going basis by the Photographer are specified below. The aim is to guarantee the confidentiality, integrity and accessibility of the information processed on behalf of the data controller.
- Organisation of information security
- The photographs for each child shall be stored separately using individual passwords
- All servers are located within the UK, the EU or EEA
- The security of the servers is guaranteed by security concepts complying to standard ISO 27001
- Access control
- Access to the system for online selling is possessed by the Photographer alone. Subcontractors are merely able to access the system for a limited period with the express consent of the Photographer.
- In relation to processing by subcontractors, there is a rights management arrangement which regulates who is entitled to access personal data.
- Security of communications
- Data may only be communicated to subcontractors via a SSL encrypted upload client.
- Communication with the online gallery to provide photographs to parents is encrypted by SSL.
- Acquisition, development and maintenance of systems
- The performance of the online system is tested monthly according to the following criteria:
- System security
- System stability
- Supplier relationships
- The subcontractors’ premises are appropriately secured by locking systems
- Subcontractors are inspected in relation to the security of their locations and any risks to personal data is minimised.
- Subcontractors have appointed a data protection officer where necessary.
- The subcontractor can send personal data encrypted where necessary.
- Corresponding third party data processing contracts have been entered into with the subcontractors
The Photographer currently works with the following subcontractors and the School/Nursery hereby agrees to their appointment.
Company: Fotografen Online Service GmbH (gotphoto.co.uk)
Location: [city, country]: Berlin, Germany
Lisa Victoria Photography
Bristol, BS8 3TZ, UK