Data Processing Agreement (DPA)

§ 1.
General provisions

1. These terms and conditions of entrustment of personal data processing (hereinafter referred to as the: „Rules of Entrustment”) shall specify the rules and conditions of entrustment of the processing of personal data stored by the Photographer on the Photographer Account.
2. For matters not regulated by the Rules of Entrustment, the provisions of the Terms and Conditions of the Mafelo platform (hereinafter referred to as the: „Terms and Conditions of the Platform”) shall apply.
3. Any capitalized terms that have not been defined in the Rules of Entrustment shall have the meaning assigned to them in the Terms and Conditions of the Platform.
4. The Rules of Entrustment constitute the template of the agreement provided for in Art. 28 of Regulation of the European Parliament and the Council (EU) 2016/679 dated 27 April 2016 on protection of individuals with regard to processing of personal details and on the free movement of such data and repeal to Directive 95/46/EC (the General Data Protection Regulation) (hereinafter referred to as: „GDPR”).

§ 2.
Entrustment of personal data processing

1. The Photographer (hereinafter also referred to as the: „Administrator”) shall entrust the Service Provider (hereinafter also referred to as the: „Processor) with the processing of personal data pursuant to Art. 28 of the GDPR, within the scope provided for in § 3 of the Rules of Entrustment.
2. The Administrator declares that:
   1. they are the administrator of personal data entrusted to the Processor under the Rules of Entrustment;
   2. the Administrator collects and processes the personal data entrusted to the Processor for processing in accordance with the GDPR and other regulations of commonly applicable law.
3. The Processor shall be obligated to process the personal data within the scope and under conditions provided for in the Rules of Entrustment, the GDPR and other regulations of commonly applicable law.
4. The Processor shall provide the service specified in the Terms of Entrustment as part of the remuneration specified in the Terms and Conditions of the Platform and in the Price List.

§ 3.
The subject, nature, purpose and time of data processing

1. Personal data entrusted by the Administrator shall be processed by the Processor solely upon the documented instruction of the Administrator and solely for the purpose of providing services indicated in the Terms and Conditions of the Platform. The “documented instruction” shall be in particular understood as the Administrator's conclusion of the Agreement for provision of the Photographer Account Service (hereinafter also referred to as the: „Master Agreement”).
2. The Administrator shall entrust the Processor with the processing of the following categories of personal data (hereinafter referred to as: „the entrusted personal data”):
   1. names and surnames;
   2. images;
   3. addresses of electronic mail;
   4. correspondence addresses;
   5. phone numbers;
   6. IP addresses;
   7. other personal data provided by the data subject.
3. The Administrator shall entrust the Processor with the processing of personal data that belongs to the Customers who concluded the Session Agreement with the Administrator or made attempts to conclude it.
4. Personal data entrusted by the Administrator under the Rules of Entrustment shall not be considered as special category data referred to in Art. 9 of the GDPR or as data regarding criminal convictions and offences referred to in Art. 10 of the GDPR.
5. The processing of the entrusted personal data shall be carried out with the use of information systems (in an automated manner).

§ 4.
Obligations, rights and declarations of the Processor

1. The Processor shall obligate to secure the entrusted personal data by implementing (before the commencement of the processing) and maintaining technical and organizational measures proper for the nature, range, context and purpose of processing of entrusted data, including measures required by relevant provisions of commonly applicable law, in order to ensure that the processing meets the requirements of the GDPR.
2. The Processor shall obligate to ensure that persons authorized to process the personal data entrusted under the Rules of Entrustment have been obligated to keep confidentiality and be subjected to the relevant regulatory obligation to maintain secrecy.
3. The Processor shall, in the scope justified by the subject of the Master Agreement and where possible, help the Administrator in their fulfillment of the obligation to reply to the demands of data subjects within the scope of rights arising from regulations of commonly applicable law, including Chapter III of the GDPR, exercised by the data subjects.
4. The Processor shall be obligated to immediately notify the Administrator:
   1. about each case of security breach of the entrusted personal data, whereby the “security breach of the entrusted personal data” shall be understood as any accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to the entrusted personal data. The notifications referred to in this point 1 must be submitted not later than within 24 hours from the detection of the security breach of the entrusted personal data;
   2. about each request received from a data subject, at the same time refraining from replying to such a request until the Administrator provides their opinion. The notifications referred to in this point 2 must be submitted not later than within 24 hours from the receipt of the request;
   3. about each case of a legally justified request for disclosure of personal data to a competent authority, unless the prohibition of notification arises from provisions of law, particularly from provisions governing criminal proceedings, when the request is to ensure confidentiality of the launched investigation;
   4. about the inspection carried out by the President of the Personal Data Protection Office or another supervisory body within the scope compliance of personal data processing and results thereof or about other actions of public authorities with regard to such data.
5. The Processor shall obligate, within scope justified by the subject of the Master Agreement and information held by the Processor, to support the Administrator in fulfillment of the Administrator's obligations arising from the commonly applicable regulations of law, including Art. 32-36 of the General Data Protection Regulation and regulations regarding the safety of personal data processing, as well as in reporting safety breaches of personal data to the supervisory authority and the data subject, assessing the outcomes for data protection and consultations with the supervisory authority in relation thereof.
6. The Processor shall be obligated:
   1. to provide the Administrator, within 14 days from the date of received request, with any information and documents necessary to prove the Administrator's fulfillment of the obligations imposed on them under regulations of commonly applicable law;
   2. to allow the Administrator or the auditor authorized by the Administrator to carry out audits, including inspections, and lead to them, under rules that will be each time arranged by the parties and subject to the provisions of this section.
7. The audit referred to in section 6 point 2 above must not be carried out:
   1. earlier than 14 days from the date on which the Processor received the notification on the audit, on the date arranged by the Parties and
   2. once the Processor and the Administrator or their authorized auditor conclude a confidentiality agreement.
8. After completion of the audit, the Parties shall draw up a protocol in 2 counterparts that shall be signed by authorized representatives of both Parties. The Processor shall have the right to express reservations to the protocol within 5 Working Days from the date on which the protocol was signed by representatives of the Parties.
9. If the course of the audit reveals deficiencies which affect the safety of the processing of entrusted personal data, the Processor shall obligate to comply with the instructions formulated by the Administrator or the auditor authorized by the Administrator.

§ 5.
Obligations of the Administrator

1. The Administrator shall be obligated to ensure, throughout the whole duration of the Master Agreement, that they will hold the legal basis for the processing of the entrusted personal data and proper rights to entrust the said personal data to the Processor. In case of loss of the a/m legal basis or rights in relation to certain entrusted personal data, the Administrator shall be obligated to immediately take steps necessary to cease the entrustment; in particular, the Administrator shall be obligated to notify the Processor about it.
2. The Administrator shall be obligated not to give the Processor any instructions regarding personal data processing which would be against the regulations of commonly applicable law, provisions of the Rules of Entrustment or other contractual obligations.

§ 6.
Further entrustment of personal data

1. The Administrator gives a general consent to the Processor's further entrustment of personal data processing (hereinafter referred to as: “sub-entrustment”) to sub-contractors selected by the Processor.
2. The list of sub-contractors that the Processor sub-entrusted the personal data processing to shall be kept by the Processor and provided to the Administrator upon the Administrator's request.
3. The Processor shall ensure that:
   1. the sub-processor will use proper technical and organizational measures in order to guarantee processing of the entrusted personal data that will be in line with provisions of the GDPR;
   2. the scope of duties of the sub-processor within the scope of data protection shall be the same as the duties of the Processor provided for in the Entrustment Agreement.
4. If the Processor intends to sub-entrust the processing of personal data to a particular sub-contractor, the Processor shall be obligated to notify the Administrator about it not later than within 7 (seven) days from the date of sub-entrustment via electronic mail. The Administrator shall object to sub-entrustment referred to in the previous sentence by reporting their objection via electronic mail within 7(seven) days from the date on which they received the notification on sub-entrustment.
5. After the ineffective expiry of the deadline to report the objection referred to in section 4 above, the Processor shall have the right to sub-entrust the processing of personal data to the selected subcontractor.
6. In case of an objection described in section 4 above, the Processor shall have the right to withdraw from the Master Agreement without notice.
7. Sub-entrustment referred to in section 4 above shall not constitute a change in the Rules of Entrustment.

§ 7.
Duration of the Rules of Entrustment

Provisions of the Rules of Entrustment shall apply for the duration of the Master Agreement.

§ 8.
Effects of termination of the Master Agreement

In case of termination of the Master Agreement, the Processor shall immediately, not later than within 14 Working Days from the date of termination of the Master Agreement, return to the Administrator and remove from their own storage mediums any personal data the processing of which has been entrusted, also including effective removal of such data from electronic storage mediums at their disposal. Provisions of the previous sentence shall not apply to personal data that the Processor must retain, pursuant to the commonly applicable regulations of law, for a period longer than the duration of the Master Agreement.

§ 9.
Liability

If any of the parties infringes the Master Agreement, provisions of the Rules of Entrustment, regulations of the GDPR or other regulations of the commonly applicable law, as a result of which the other party incurs damage, the party responsible for the infringement shall be obligated only to repair the actual damage and shall not be liable for benefits lost by the other party due to the infringement.

§ 10.
Changes in the Rules of Entrustment

In case of changes of the Rules of Entrustment, provisions of § 19 of the Terms and Conditions of the Platform shall apply accordingly.

§ 11.
Final Provisions

The current version of the Terms and Conditions shall apply from 20 March 2023.