Menu

Data Processing Agreement

Last updated: July 17, 2025
General Provisions

This Data Processing Agreement (hereinafter referred to as the “Agreement”) is an integral part of the Terms of Service of Foto.Guru.

By accepting this Agreement, the user (hereinafter referred to as the “Controller”) entrusts Foto.Guru (Yak Consulting sp. z o.o., registered in Żórawina, ul. Brzoskwiniowa 26, KRS 0001182122, REGON 542155680, NIP 8961654267), hereinafter referred to as the “Processor”, with the processing of personal data under the scope and conditions specified below.

§ 1. Subject of the Agreement
  1. The Controller entrusts the Processor with personal data for processing pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as “GDPR”.
  2. The Processor undertakes to process the entrusted personal data in accordance with this Agreement, the GDPR, and other generally applicable laws that protect the rights of data subjects.
§ 2. Scope and Purpose of Data Processing

  1. The Processor shall process the entrusted personal data solely to the extent necessary for the provision of services within the Foto.Guru system, including:

    • customer identification data
    • customer contact data
    • order data
    • files related to orders

  2. The processing of personal data shall concern the following categories of persons:

    • the Controller’s customers
    • the Controller’s employees and associates

  3. The purpose of personal data processing is:

    • providing photography services through the Foto.Guru system
    • order fulfillment
    • customer service
    • data archiving in accordance with defined retention periods

  4. Data retention periods:

    • order files: 14 days from order completion
    • customer data: 30 days from acquisition
    • order data: 6 months from completion
§ 3. Obligations of the Data Processor

  1. The Processor undertakes to: a. process the entrusted data solely on documented instructions from the Controller b. ensure that persons authorized to process personal data are bound by confidentiality obligations c. take all measures required under Article 32 of the GDPR d. comply with the conditions for using another processor’s services e. assist the Controller in fulfilling the obligation to respond to data subject requests f. assist the Controller in fulfilling obligations set out in Articles 32-36 of the GDPR

  2. The Processor applies high-level security measures, including:

    • data encryption
    • ensuring confidentiality, integrity, and availability of data
    • regular testing and assessment of technical measures effectiveness
    • regular backup creation
§ 4. Confidentiality Rules
  1. The Processor undertakes to keep confidential all information, data, and materials.
  2. The Processor declares that confidential data will not be used, disclosed, or made available without the Controller’s written consent.
§ 5. Sub-processing
  1. The Processor may entrust personal data for further processing to subcontractors solely for the purpose of contract performance, with the Controller’s prior written consent.
  2. Transfer of entrusted data to a third country may only occur on the written instruction of the Controller, unless such obligation is imposed on the Processor by Union or Member State law.
§ 6. Liability
  1. The Processor is liable for damages caused by its actions in connection with failure to fulfill obligations that the GDPR imposes directly on the processor.
  2. The Processor is liable for damages caused by failure to apply appropriate security measures.
§ 7. Right of Audit
  1. The Controller has the right to audit whether the measures applied by the Processor in processing and securing entrusted personal data comply with the provisions of the agreement.
  2. The Controller shall exercise the right of audit during the Processor’s working hours with at least 7 days’ prior notice.
§ 8. Duration of the Agreement
  1. This Agreement shall be effective from the moment of its acceptance by the Controller.
  2. The Agreement shall cease to be effective upon deletion of the Controller’s account from the Foto.Guru system.
§ 9. Final Provisions
  1. In matters not regulated herein, the provisions of the Civil Code and the GDPR shall apply.
  2. The court competent to hear disputes shall be the court having jurisdiction over the Processor’s registered office.
  3. Any amendments to this Agreement shall require written form under penalty of nullity.

You don't have an account yet?

Join us for free, without obligation!

Sign up now for free!