Zenfolio Data Processing Agreement
Welcome to Zenfolio!
Terms of Service Zenfolio | Terms of Service PhotoBooker | Privacy Policy | California Privacy | Copyright Policy Website Terms of Use | Cookie Policy | Open Source Fonts | Data Processing Addendum | Acceptable Use Policy
Last Updated: January 27, 2022
This Data Processing Addendum (“DPA”) sets forth the terms and conditions in which Zenfolio, Inc. (“Zenfolio,” “we,” “us,” “our”) will process personal data on the behalf of photographers (“you” or “Photographer”) who purchase or otherwise use our Photographer Services.
ANY AND ALL DISPUTES, COMPLAINTS, OR CLAIMS ARISING FROM THIS DPA SHALL, TO THE MAXIMUM EXTENT PERMITTED BY LAW, BE SUBJECT TO THE DISPUTE RESOLUTION AND LIMITATIONS OF LIABILITY PROVISIONS, CRITERIA, AND REQUIREMENTS SET FORTH IN THE ZENFOLIO TERMS OF SERVICE.
1. Definitions
1.1. Applicable Data Protection Law means all laws, statutes, and regulations applicable to the Processing of Photographer Personal Data under the Terms of Service, including (when applicable) the CCPA, the GDPR, and the United Kingdom (UK) Data Protection Act 2018.
1.2. California Consumer Privacy Act (“CCPA”) means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights and Enforcement Act of 2020 and any other applicable amendments (codified at § Cal. Civ. Code 1798.100 et seq.), and includes any and all implementing regulations.
1.3. Data Subject means an identified or identifiable individual whose Personal Data is being Processed by Zenfolio.
1.4. European Union (EU) Standard Contractual Clauses means standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.5. General Data Protection Regulation (“GDPR”)means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and all applicable European Union (EU) Member State legislation implementing the same.
1.6. Personal Data means any information or data that, alone or in combination with other information or data, can be used to reasonably identify a particular individual, household, or device, and is subject to, or otherwise afforded protection under, an Applicable Data Protection Law.
1.7. Photographer Personal Data means the Personal Data that Zenfolio Processes on behalf of Photographer.
1.8. Photographer Services shall have the meaning ascribed in the Zenfolio the Terms of Service.
1.9. Photographer Site Content shall have the meaning ascribed in the Zenfolio the Terms of Service.
1.10. Subprocessor means any third-party organization engaged by Zenfolio to Process Photographer Personal Data on its behalf.
1.11. United Kingdom (UK) Standard Contractual Clauses means the standard contractual clauses approved by the European Commission by way of Commission Decision C(2010)593, as amended by the UK Information Commissioner’s Office for use in a UK context, available on the date of this DPA at https://ico.org.uk/media/for-organisations/documents/2618973/uk-sccs-c-p-202012.docx, and as may be amended or replaced by the Information Commissioner’s Office or/and Secretary of State from time to time.
The terms “controller,” “data controller,” “processor,” “data processor,” “processing,” “process,” “data breach,” and “personal data breach” shall have the meanings given in the Applicable Data Protection Law and may be capitalized in this DPA to show that they are defined terms. Any other term that is capitalized but not otherwise defined herein shall be ascribed the meaning in the Zenfolio Terms of Service.
2. Scope. You acknowledge that the Photographer Services are designed and provided for the primary purpose of enabling you to exhibit, organize, print, sell, exchange, and share digital images, videos and related products, and not for the primary purpose of storage, management or Processing of Personal Data.
3. Processing. You expressly acknowledge that: (i) you are the Controller of Personal Data included in the Photographer Site Content; (ii) you hereby appoint Zenfolio as a Processor to Process the Personal Data included in the Photographer Site Content; and (iii) Zenfolio shall Process Personal Data as a Processor as necessary to perform its obligations under this DPA and strictly in accordance with your instructions as documented in this DPA, except where otherwise required by any applicable law. Photographer shall be responsible for complying with all requirements that apply to it under Applicable Data Protection Law. Photographer acknowledges and agrees that it will be solely responsible for the accuracy, quality, and legality of Photographer Personal Data, and for complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Law for the collection and use of the Photographer Personal Data, including obtaining any necessary consents and authorizations from Data Subjects. For the avoidance of doubt, Photographer hereby represents to Zenfolio that Photographer has the legal authority and appropriate business purpose to provide Zenfolio with any and all Photographer Personal Data in conjunction with the Photographer Services, and when legally required, has obtained the consent from all applicable Data Subjects concerning the Processing described herein. Each party shall inform the other party, without undue delay (and in any event within seventy-two (72) hours) if it is not able to comply with its responsibilities set forth in this DPA. Photographer is solely responsible for reviewing the Photographer Services, including any available security documentation and features, to determine whether they satisfy Photographer’s requirements, business needs, and legal obligations.
4. CCPA Disclaimer. For purposes of the CCPA, Photographer shall be considered a “Business” and Zenfolio shall be considered a “Service Provider.” With regard to any Personal Information provided by Photographer to Zenfolio pursuant to this DPA, Zenfolio hereby acknowledges and agrees that it shall not (i) “Sell” the Personal Information, (ii) retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing the Photographer Services, or (iii) retain, use, or disclose Personal Information outside of the direct business relationship with Photographer. Without limiting the foregoing, each party acknowledges and agrees that the provision of Personal Information from Photographer to Zenfolio does not constitute, and is not the intent of either party for such provision of Personal Information to constitute, a “Sale” of Personal Information, and if valuable consideration, monetary or otherwise, is being provided by Photographer pursuant to the DPA, such valuable consideration, monetary or otherwise, is so being provided for the Photographer Services being rendered and not for the provision of Personal information. For purposes of this Section only, the terms “Business,” “Service Provider,” “Personal Information,” “Sale,” and “Sell” shall have the same meaning as set forth in the CCPA (Cal. Civ. Code § 1798.140). The limitations set forth in this Section shall not be interpreted to prevent Zenfolio from complying with an applicable law, statute, regulation, or a binding order of a governmental or regulatory body.
5. Confidentiality and Security. Zenfolio shall maintain the confidentiality of all Photographer Personal Data and ensure that individuals who are authorized to Process Photographer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Zenfolio shall implement and maintain appropriate technical and organizational measures for its own systems to comply with data privacy in order to ensure a level of data protection appropriate to the risk resulting from the Processing of Photographer Personal Data under this DPA, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the severity and likelihood of realization of risks for the rights and freedoms of Data Subjects. Upon termination or expiration of your Zenfolio account, Zenfolio shall delete Photographer Personal Data from the Zenfolio’s custody and control within sixty (60) business days, and it is your responsibility to r
6. Requests; Assistance. Zenfolio shall, to the extent legally permitted, promptly notify Photographer if Zenfolio receives a request from (i) a government or regulatory authority regarding the Processing of Photographer Personal Data (a “Government Access Request”) or (ii) a Data Subject seeking to exercise a data protection right or privilege (a “Data Subject Request”), and Zenfolio shall, to the extent practicable, seek to direct the requestor to Photographer. Taking into account the nature of the Processing, Zenfolio shall assist Photographer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Photographer’s obligation to respond to a Government Access Request or a Data Subject Request. In addition, to the extent Photographer, in its use of the Photographer Services , does not have the ability to address the Government Access Request or the Data Subject Request, Zenfolio shall, upon Photographer’s request, furnish commercially reasonable efforts to assist Photographer in responding to such requests, to the extent Zenfolio is legally required to do so. Photographer shall be responsible for any costs arising from Zenfolio’s provision of such assistance described herein. For the avoidance of doubt, Photographer shall be fully responsible and liable for timely and appropriately responding to a Government Access Request or a Data Subject Request.
7. Impact Assessments; Consultation. Upon Photographer’s request, Zenfolio shall (at Photographer’s sole cost and expense) provide Photographer with commercially reasonable cooperation and assistance (i) needed to fulfil Photographer’s obligation under Applicable Data Protection Law to undertake a data protection impact assessment related to Photographer’s use of the Photographer Services, to the extent Photographer does not otherwise have access to the relevant information, and to the extent such information is available to Zenfolio, and (ii) with respect to a consultation with a governmental or regulatory authority.
8. Audit. At your sole cost and expense, and subject to your compliance with this DPA, you may (no more than once per year) audit Zenfolio’s compliance with its data protection obligations, provided you furnish Zenfolio at least thirty (30) days advance written notice of the same, with such notice to include a detailed proposed audit plan. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Zenfolio will review the proposed audit plan and provide you with any concerns or questions and work cooperatively with you to agree on a final audit plan. Zenfolio will contribute to such audits by providing the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to your use of the Photographer Services where such records are not otherwise available to you through the Photographer Services. The audit must be conducted during regular business hours, may not unreasonably interfere with Zenfolio business activities, and be conducted subject to the agreed final audit plan and Zenfolio’s internal policies. You will provide Zenfolio any audit reports generated as part of any audit unless Applicable Data Protection Law prohibits it. You may use the audit reports only for the purpose of meeting your regulatory audit requirements. The audit reports are confidential information of the parties under this DPA. Where assistance requested of Zenfolio in conjunction with such audit requires the use of resources different from or in addition to those required of Zenfolio under this DPA, you shall pay for such additional resources at Zenfolio’s then-current rates.
9. Security Event. Upon confirming a Personal Data Breach, Zenfolio shall: (i) taking into account the nature of Processing of Photographer Personal Data and the information available to Zenfolio, notify Photographer of the Personal Data Breach within seventy-two hours (72), or in accordance with the time frame set forth in Applicable Data Protection Law, (ii) provide timely information to Photographer relating to the Personal Data Breach as it becomes known or as is reasonably requested by Photographer, and (iii) promptly take reasonable steps to contain, investigate, and mitigate any Personal Data Breach. Photographer acknowledges that Zenfolio will not assess the contents of Photographer Personal Data in order to identify information subject to any specific Data Breach notification legal requirements, and Photographer is solely responsible to comply with Data Breach notification laws applicable to Photographer and to fulfill any third-party notification obligations related to any Personal Data Breach. Unless otherwise required by an Applicable Data Protection Law, the parties agree: (i) Zenfolio shall not provide notice of a Personal Data Breach to any third party or otherwise make any public statement on the same, and (ii) to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant supervisory authorities. Zenfolio’s notice obligations set forth herein shall not be interpreted or construed, in any manner or in any form, as an admission of guilt, negligence, or wrongdoing.
10. Subprocessors. To the extent necessary for Zenfolio fulfill its contractual obligations under this DPA, you hereby authorize Zenfolio to engage and continue to use the Subprocessors identified at Exhibit III (the “Subprocessor List”). Zenfolio will notify applicable Photographers of any changes to such list by updating the Subprocessor List and will give them the opportunity to object to the engagement of the new Subprocessor on reasonable grounds relating to the protection of Personal Data within thirty (30) days after updating the Subprocessor List. If the Photographer does notify Zenfolio of such an objection, the parties will discuss Photographer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Zenfolio will, at its sole discretion, either not appoint the new Subprocessors, or permit the Photographer to suspend or terminate the affected Services in accordance with the termination provisions of this DPA.
11. International Data Transfers
11.1. Data Transfers (EU Standard Contractual Clauses). To the extent Photographer Personal Data originates in the European Economic Area (EEA), the parties shall comply with the EU Standard Contractual Clauses with regard to the transfer and Processing of such Photographer Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 11.1 of this DPA, their provisions will be deemed incorporated by reference into this DPA. To the extent required by the applicable data protection regulations, the parties shall enter into and execute the EU Standard Contractual Clauses as a separate document. If the parties apply and incorporate the EU Standard Contractual Clauses pursuant to this Section 11.1 of this DPA, then the following shall apply:
11.1.1 The EU Standard Contractual Clauses shall be governed by the Module Two (Transfer Controller to Processor) clauses in all applicable instances, and the Photographer and/or Photographer’s EU affiliates shall be the data exporter and Zenfolio shall be the data importer.
11.1.2. Each party acknowledges and agrees that Clause 7 (Optional – Docking Clause) of the EU Standard Contractual Clauses shall be deemed incorporated therein and applicable to the parties and third parties.
11.1.3. For purposes of Clause 9(a) (Use of sub-processors) of the EU Standard Contractual Clauses, the parties agree that Option 2 (General Written Authorization) shall apply to the parties, and shall be enforced in accordance with Section 10 and Exhibit III of this DPA.
11.1.4. For purposes of Clause 11 (Redress) of the EU Standard Contractual Clauses, the parties agree that the optional wording shall not be incorporated therein and therefore shall not be applicable to the parties.
11.1.5. For purposes of Clause 17 (Governing law) of the EU Standard Contractual Clauses, the parties agree that the EU Standard Contractual Clauses shall be governed by the law of Ireland and select Clause 17, “Option 1” to this effect.
11.1.6. For purposes of Clause 18 (Choice of forum and jurisdiction) of the EU Standard Contractual Clauses, the parties agree that any dispute arising from the EU Standard Contractual Clauses shall be resolved by the Courts of Ireland.
11.1.7. Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set forth in Exhibit I to this DPA.
11.1.8. Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information set forth in Exhibit II to this DPA.
11.1.9. Annex III of the EU Standard Contractual Clauses shall be deemed completed with the information set forth in Exhibit III to this DPA and replacement Subprocessors shall be agreed upon in accordance with Section 10 of this DPA. Zenfolio shall not transfer Photographer Personal Data received under the EU Standard Contractual Clauses (nor permit such Photographer Personal Data to be transferred) to a Subprocessor outside the EEA, unless the Subprocessor (i) is established in a country which the European Commission has granted an adequacy status, or (ii) has obtained Photographer’s prior written consent with respect to such transfer and implements and maintains such measures as necessary to ensure the transfer is in compliance with Applicable Data Protection Law, and such measures may include (without limitation) the Subprocessor’s obtaining Binding Corporate Rules authorization in accordance with Data Protection Law, or the execution by a Subprocessor and Zenfolio of the EU Standard Contractual Clauses, Module 3 (Processor to Processor).
11.2. UK Standard Contractual Clauses. To the extent Photographer Personal Data originates in the UK, the parties undertake to apply the provisions of the UK Standard Contractual Clauses to the transfer and Processing of such Photographer Personal Data and hereby incorporate the UK Standard Contractual Clauses (Controller to Processor) by reference into this DPA. In case the parties can no longer rely on the UK Standard Contractual Clauses as an appropriate data transfer mechanism, the parties will conclude an alternative data transfer mechanism to replace the UK Standard Contractual Clauses, at the choice of Photographer, without undue delay. If the parties apply and incorporate the UK Standard Contractual Clauses pursuant to this Section 11.2 of this DPA, then the following shall apply:
11.2.1. In Clause 9 of the UK Standard Contractual Clauses, the parties agree that the UK Standard Contractual Clauses shall be governed by the law of the country of the UK in which the data exporter is established, namely, England and Wales.
11.2.2. For purposes of the “Additional commercial clauses” of the UK Standard Contractual Clauses, the optional “Indemnification” clause is deemed incorporated therein and shall apply to the parties.
11.2.3. Annexes 1 and 2 of the UK Standard Contractual Clauses shall be deemed completed with the information set forth in, as applicable, Section 11.1 of this DPA and Exhibits I through III of this DPA.
11.2.4. Each party hereby acknowledges and agrees that Section III (Local Laws and Obligations in case of access by public authorities) of the EU Standard Contractual Clauses is hereby incorporated by reference into these UK Standard Contractual Clauses. Zenfolio shall not transfer any Photographer Personal Data received under the UK Standard Contractual Clauses (nor permit such Photographer Personal Data to be transferred) to a Subprocessor outside the UK, unless the Subprocessor (i) is established in a country which the UK authorities have granted an adequacy status, or (i) has obtained Photographer’s prior written consent with respect to such transfer and it implements and maintains such measures as necessary to ensure the transfer is in compliance with Applicable Data Protection Law, and such measures may include (without limitation) the Subprocessor’s obtaining Binding Corporate Rules authorization in accordance with Data Protection Law, or the execution by a Subprocessor and Zenfolio of the Standard Contractual Clauses adopted or approved by the UK Secretary of State or the UK Information Commissioner (and approved by the UK Parliament).
11.3. Switzerland Transfers. To the extent Photographer Personal Data originates in Switzerland, the parties undertake to apply the provisions of the EU Standard Contractual Clauses, as set forth in Section 11.1 of this DPA, to the transfer and Processing of such Photographer Personal Data. If the EU Standard Contractual Clauses are applicable between the parties pursuant to this Section 11.3, their provisions will be deemed incorporated by reference into this DPA. If the parties apply and incorporate the EU Standard Contractual Clauses (as set forth in Section 11.1 of this DPA) pursuant to this Section 11.3, then the following shall apply, where required by the Swiss Federal Act on Data Protection (FADP):
11.3.1. References to the GDPR in the EU Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not the GDPR.
11.3.2. The term “member state” in the EU Standard Contractual Clauses shall not be interpreted in such a manner as to exclude Data Subjects in Switzerland from enforcing their rights in Switzerland in accordance with Clause 18(c) of the EU Standard Contractual Clauses, provided Switzerland is their habitual residence.
11.3.3. For purposes of Annex I(C) of the EU Standard Contractual Clauses, (i) where the data transfer is subject exclusively to the Swiss FADP (and not the GDPR), the supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (ii) where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority set forth in Exhibit I of this DPA insofar as the transfer is governed by the GDPR.
11.4. Other Transfers. To the extent Photographer Personal Data originates outside of the EEA, Switzerland, or the UK, and the parties seek to transfer and Process such Photographer Personal Data across national borders, the parties shall also undertake to apply, as appropriate, the provisions of the EU Standard Contractual Clauses or UK Standard Contractual Clauses to such transfer and Processing, provided that the EU Standard Contractual Clauses or UK Standard Contractual Clauses are legally required and sufficient to meet the requirements of the Applicable Data Protection Law for the transfer and Processing of Personal Data across national borders.
11.5. Surveillance Disclaimers. If the parties apply and incorporate the EU Standard Contractual Clauses pursuant to Sections 11.1 or 11.3 of this DPA or the UK Standard Contractual Clauses pursuant to Section 11.2 of this DPA, then Zenfolio hereby represents and warrants the following to be true, accurate, and complete: (i) For the purposes of 50 United States Code (U.S.C.) § 1881(4), or any other similar provision in the jurisdictions where Zenfolio is located, Zenfolio is an “electronic communication service provider” or otherwise directly subject to 50 U.S.C. § 1881a (“FISA § 702”) or provision with a similar effect in your country of residence, (ii) Zenfolio has never cooperated with public authorities conducting surveillance of communications pursuant to Executive Order (EO) 12333, as amended, or any other similar provision in the jurisdictions where Zenfolio is located, with regard to Personal Data in Zenfolio’s custody or control, (iii) Zenfolio has never been the subject of a FISA § 702 warrant, or any other similar provision in the jurisdictions where Zenfolio is located, with regard to a request for disclosure of any Personal Data that it Processes, and (iv) Zenfolio has established internal procedures and processes for responding to FISA § 702 warrants, for cooperating with national security agencies under EO 12333, and for complying with any provision similar to either of the foregoing in the jurisdictions where Zenfolio is located.
Exhibit I (Data Processing Activities)
A. List of parties:
Name (Data Exporter) | The Photographer |
Address | As set forth in the Photographer’s account |
Contact person’s name, position and contact details | As set forth in the Photographer’s account |
Activities relevant to the data transferred under these Clauses | Set forth below (Section B. Description of Transfer) |
Signature and date | By executing the Terms of Service of which this DPA forms an integral part |
Role (Controller / Processor) | Photographer is the Data Controller |
Name (Data Importer) | Zenfolio, Inc. |
Address | 3515 A Edison Way, Menlo Park CA 94025 |
Contact person’s name, position and contact details | [email protected] |
Activities relevant to the data transferred under these Clauses | Set forth below (Section B. Description of Transfer) |
Signature and date | By executing the Terms of Service of which this DPA forms an integral part |
Role (Controller / Processor) | Zenfolio is a Data Processor |
B. Description of Transfer: Unless otherwise set forth in a statement of work, order form, or similar documentation, the description of the Personal Data transferred is as follows:
(i) Categories of Data Subjects: Photographer solely determines the categories of Data Subjects whose Personal Data is subject to Zenfolio Processing, which includes the following categories of Data Subjects: Photographer’s employees, contractors, and end-users of the Photographer Services, including individuals captured on Photographer’s images and photographs.
(ii) Categories of Personal Data transferred: Photographer solely determines the categories of Personal Data subject to Zenfolio Processing, which includes the following categories of Data Subjects: names, shipping address, email, telephone number, account usernames and registration information, payment card data, and individuals depicted in Photographer’s images and photographs.
(iii) Sensitive data transferred: Photographer solely determines whether sensitive Personal Data is subject to Zenfolio Processing, and such sensitive Personal Data includes the following: biometric data (if such feature is utilized in Photographer’s sole discretion), and individuals depicted in Photographer’s images and photographs.
(iv) The frequency of transfer: Continuous and so for so long as Photographer uses the Photographer Services.
(v) Nature of Processing: To provide the Photographer Services.
(vi) Purpose of the data transfer and further Processing: To provide Photographer access to, and use of, the Photographer Services.
(vii) The period for which Personal Data will be retained: For the duration of the Terms of Services and for the termination and transition period thereafter, as set forth in the Terms of Services.
(viii) Subprocessor transfers: The relevant information as set forth in Section 10 and Exhibit III of this DPA.
C. Competent Supervisory Authority: The competent supervisory authority shall be established in accordance with Clause 13 of the EU Standard Contractual Clauses.
* * * * * * * * *
Exhibit II (Security Controls)
Zenfolio shall implement and maintain appropriate technical and organizational measures to ensure a level of data protection appropriate to the risk resulting from the Processing of Photographer Personal Data under this DPA, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the severity and likelihood of realization of risks for the rights and freedoms of Data Subjects, which shall include the following:
- Encryption of Personal Data.
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services.
- Measures for ensuring the ability to restore the availability and access to Photographer Personal Data in a timely manner in the event of a physical or technical incident.
- Procedures for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the Processing.
- Measures for the protection of data during storage.
- Measures for ensuring physical security of locations at which Photographer Personal Data is retained.
- Measures for ensuring system configuration, including default configuration.
- Measures for internal IT and IT security governance and management.
- Measures for certification/assurance of processes and products.
- Measures for ensuring limited data retention.
- Measures for ensuring accountability.
- Measures for allowing data portability and ensuring erasure.
Obligations with respect to Subprocessors are set forth in the DPA.
* * * * * * * * *
Exhibit III (Subprocessor List)
Zenfolio’s Subprocessor List is available at https://zenfolio.com/third-party-providers/.