Data Processing Agreement - automated processing of image data

Agreement concerning data processing by a processor in accordance with Art. 28 GDPR

Version: March 4, 2021

The controller:
User (Hereinafter referred to as client)

The processor:
Web Future Studio SRL
15 Episcopul Chesarie street, Office 2, Room 1, Tronson F building, ground floor
District 4, Bucharest, Romania
(Hereinafter referred to as contractor)

1. Subject matter of the agreement

(1) The subject matter of this agreement is the implementation of the following tasks: Automated processing of image data (including metadata) as well as integration, monitoring, and troubleshooting of image-related processes. This agreement is to be considered a supplementary document to the processor’s Terms of Use.

(2) The following data categories are processed: Contents of image files, their metadata, and processing instructions.

(3) The following categories of data subjects are subject to the processing: Persons referred to in data provided by the client, e.g., customers or collaborators of the client.

2. Duration of the agreement

The agreement does not have a defined endpoint and can be ended by either party with a notice period of one month on the last day of the month. The option to terminate due to exceptional circumstances remains unaffected.

3. Obligations of the contractor

(1) The contractor commits himself to process the data and the processing results exclusively within the scope of the client's assignment. Should the contractor be required to release data of the client by request of the authorities, then he has to – as far as it is legally permitted – inform the client of the above without delay and refer the authorities to the client. Likewise, the processing of data for the contractor’s own benefit requires written approval by the client.

(2) The contractor declares that he has imposed on any persons assigned to process the data, to adhere to the confidentiality practices prior to the beginning of the task, or that they are bound by an appropriate, legal non-disclosure obligation. The non-disclosure obligations are upheld, even when their assignment is completed, and the contractor no longer employs them.

(3) The contractor declares that he has taken all required steps to ensure that the security of the processing is upheld in accordance with Art. 32 GDPR.

(4) The contractor implements the appropriate technical and organizational measures so that the client can comply with the rights of the affected individuals as per chap. III of the GDPR (information, access, rectification and erasure, data portability, objection, as well as automated individual decision-making) at any time and within the legal deadlines and will submit all necessary information to the client. Should a relevant request be sent to the contractor and should this request show that the sender of the request mistakenly considers him the controller of the processing operated by the contractor, then the contractor must forward this request to the client without delay and notify the sender on the above.

(5) The contractor supports the client with adhering to the obligations, as outlined in Art. 32 to 36 GDPR (data security, notification of a personal data breach to a supervisory authority, communication of a personal data breach to the data subject etc.).

(6) With regard to the provided data, the client is entitled to view and check that data processing facilities at any time, whether in person or via a commissioned third party. The contractor is obligated to provide the client with all necessary information to monitor the compliance with the obligations as outlined in this agreement.

(7) Following the termination of this agreement, the contractor is obligated to destroy, at his request, all processing results and documents that contain data.

(8) The contractor must inform the client immediately, if he is of the opinion that an instruction of the client constitutes a violation of the data protection regulations of the Union or of the Member States.

4. Place of performance of data processing

Data processing is, at least in part, also executed outside of the EU or the EEA, namely in the USA. The appropriate data protection level is established on the basis of an adequacy decision by the European Commission in accordance with Art. 45 GDPR.

5. Sub-Processors

(1) The contractor can employ sub-processors. He must inform the client of the planned use of a sub-processor in such a timely manner, that the client can forbid it. The contractor enters into an agreement with the sub-processor in accordance with Art. 28 para. (4) GDPR. In doing so, he must ensure that the sub-processor adheres to the same obligations as the contractor, with regard to this agreement. Should the sub-processor not comply with data protection obligations, then the contractor is liable vis-à-vis the client for the compliance with obligations of the sub-processor.

(2) The contractor can employ the following sub-processor for the purpose of hosting of cloud infrastructure and services: Amazon S3 Cloud Services.

This service provider has been carefully selected since it offers strong guarantees that any operation involving Personal Data processing conducted by it complies with the GDPR.

The privacy policy of Amazon S3 Cloud Services can be accessed at the following link:

Close Cookie Setting

Cookie Settings

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use this website.
Operate the site and core services
These cookies are required, and they are used to enable the site and related services core functionality. Without them the site could not operate, so they cannot be disabled.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.