DPA

This Data Processing Agreement (“DPA“) is hereby entered by and between Atadat Ltd. (collectively ” Company” or “opono.net“) and the Photographer. Each a “party” and collectively, the “parties”, and is an integral part of the Terms of Service executed between the parties (“Terms“). Capitalized terms used herein and not defined herein shall have the respective meanings given to them in the Terms. This DPA sets forth the parties™ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties and under the Terms.

  1. DEFINITIONS
    1. Adequate Country” is a country that received an adequacy decision from the Türkiye and European Commission.
    2. The terms “Controller“, “Personal Data“, “Processor“, “Data Subject“, “Processing” (and “Process“), “Personal Data Breach“, “Special Categories of Personal Data” and “Supervisory Authority“, shall all have the same meanings as ascribed to them in the Türkiye, EU Data Protection Law, CPA, VCDPA, CTDPA. The terms “Business“, “Business Purpose“, “Consumer“, “Cross-contextual Advertising”, “Contractor“, “Service Provider“, “Sale“, “Sell”and”Share“, “Targeted Advertising“, “Third Party Business“, shall have the same meaning as ascribed to them in the TÜRKİYE Data Protection Laws. “Data Subject” shall also mean and refer to (under this DPA) a “Consumer“, as such term defined in the TÜRKİYE Data Protection Laws “Personal Data” shall include “Personal Information” under this DPA.
    3. Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the TÜRKİYE Data Protection Laws) as may be amended or superseded from time to time.
    4. EEA” means the European Economic Area.
    5. EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR“); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
    6. Turkiye Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Türkiye Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations.
    7. 1.10.”Photographer Data” means any and all Personal Data uploaded by the Photographer to the Service, including any photographs of the Photographers, all as detailed in Annex I .
    8. 1.11.”Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Photographer Data. Any Personal Data Breach will comprise a Security Incident.
    9. 1.12.”Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here Standard Contractual Clauses .
    10. 1.13.”Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA“); (ii) The Ordinance on the Federal Act on Data Protection (“FODP“); (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.
    11. 1.14.” Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.
    12. 1.15.”US Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of this DPA and applies to opono.net” Processing of Photographer Data, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, and the VCDPA.
    13. 1.16.”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.
    14. 1.17.”UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).
    15. 1.18.”UK Standard Contractual Clauses“or “UK SCC” means the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as adopted, amended or updated by the UK Information Commissioner Office (“ICO“), Parliament or Secretary of State.
    16. 1.19.”VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.

Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Data Protection Laws. A reference to any term or section of the Protection Laws means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR or UK GDPR depending on the applicable Law.

  1. ROLES AND DETAILS OF PROCESSING
    1. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Photographer Data, and according to the applicable Data Protection Laws, opono.net” is acting as a Data Processor, or Service Provider and Photographer is acting as a Data Controller or Business.
    2. Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law.
    3. The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.
    4. Additional US Data Protection Laws specifications are further detailed in Annex VII.
  1. REPRESENTATIONS AND WARRANTIES
    1. opono.net“represents and warrants that it shall Process Photographer Data, on behalf of the Photographer, solely for the purpose of providing the Service, all in accordance with Photographer™s written instructions under the Agreement and this DPA. Notwithstanding the above, in the event opono.net” is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Photographer Data other than as instructed by Photographer, opono.net” shall make its best efforts to inform the Photographer of such requirement prior to Processing such Photographer Data, unless prohibited under applicable law.
    2. opono.net” shall provide reasonable cooperation and assistance to the Photographer in ensuring compliance with its obligation to carry out data protection impact assessments.
    3. Where applicable, opono.net” shall assist the Photographer in ensuring that Photographer Data Processed is accurate and up to date, by informing the Photographer without delay if it becomes aware of the fact that the Photographer Data it is processing is inaccurate or has become outdated.
    4. opono.net” shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Photographer Data; (ii) that persons authorized to process the Photographer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    5. Notwithstanding the above, in any event that the Israeli Law applies, the parties hereby undertake that they comply with the aforesaid regulations as well as comply with the DPA.
  2. DATA SUBJECTS RIGHTS AND REQUEST
    1. It is agreed that where opono.net” receives a request from a Data Subject or an applicable authority in respect of Photographer Data, where applicable, opono.net” will notify the Photographer of such request promptly and direct the Data Subject or the applicable authority to the Photographer in order to enable the Photographer to respond directly to the Data Subject™s or the applicable authority™s request, unless otherwise required under applicable laws.
    2. Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject™s or applicable authority™s request, to the extent permitted under Data Protection Law.
  3. SUB-PROCESSING
    1. The Photographer acknowledges that opono.net” may transfer Photographer Data to and otherwise interact with third party data Processors (“Sub-Processor“). The Photographer hereby authorizes opono.net” to engage and appoint such Sub-Processors as listed in Annex III, to Process Photographer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. opono.net” may continue to use those Sub-Processors already engaged by opono.net“, as listed in Annex III , or to engage an additional or replace an existing Sub-Processors to process Photographer Data, subject to the provision of a thirty (30) day prior notice of its intention to do so to the Photographer. In case the Photographer has not objected to the adding or replacing of a Sub-Processor within such notice time, such Sub-Processor shall be deemed approved by the Photographer. In the event the Photographer objects to the adding or replacing of a Sub-Processor, opono.net” may, under opono.net“™ sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.
    2. opono.net” shall, where it engages any Sub-Processor, impose, through a legally binding contract between opono.net” and the Sub-Processor, data protection obligations that are no less onerous than, and provide at least the same level of protection as, those set out in this DPA. opono.net” shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law.
    3. opono.net” shall remain responsible to the Photographer for the performance of the Sub-Processor™s obligations in accordance with this DPA. opono.net
    4. List of Sub-Processors is further detailed in Annex III .
  4. TECHNICAL AND ORGANIZATIONAL MEASURES
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, opono.net” hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Photographer Data as required under Data Protection Laws to ensure lawful processing of Photographer Data and safeguard Photographer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.
    2. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
    3. The security measures implemented and maintained by opono.net” are further detailed in Annex II.
  5. SECURITY INCIDENT
    1. opono.net” will notify the Photographer without undue delay (and in any event within 24 hours) upon becoming aware of any Security Incident involving the Photographer Data. opono.net“m™ notification regarding or response to a Security Incident under this Section 6 shall not be construed as an acknowledgment by opono.net“of any fault or liability with respect to the Security Incident.
    2. opono.net“will: (i) take necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Photographer and provide the Photographer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Photographer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Photographer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Photographer and assist Photographer with its obligation to notify the affected individuals in the case of a Security Incident.
  6. AUDIT RIGHTS
    1. opono.net” shall maintain accurate written records of any and all the processing activities of any Personal Data carried out under this DPA and shall make such records available to the Photographer and applicable supervisory authorities upon written request. Such records provided shall be considered opono.net“‘ Confidential Information and shall be subject to confidentiality obligations.
    2. Photographer may audit opono.net“compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor or a comparable certification or other security certification of an audit conducted by a third-party auditor, within 12 months as of the date of Photographer™s request.
    3. Alternatively, in the event the records and documentation provided subject to Section 7.1 and 7.2 above are not sufficient for the purpose of demonstrating compliance, opono.net“hall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Photographer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Photographer Data (“Audit“) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties), opono.net“may object to an auditor appointed by the Photographer in the event opono.net“reasonably believes the auditor is not suitably qualified or is a competitor of opono.net“. Photographer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to opono.net“™ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit.
    4. Nothing in this DPA will require opono.net” either to disclose to Photographer or its third-party auditor, or to allow Photographer or its third-party auditor to access: any data of any other Photographer; opono.net“™ internal accounting or financial information; any trade secret of a opono.net” or its Affiliates; any information that, in opono.net“™ reasonable opinion, could compromise the security of any opono.net“™ systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or any information that Photographer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Photographer™s obligations under the Data Protection Laws.
  7. CROSS BORDER PERSONAL DATA TRANSFERS
    1. Where the Türkiye, GDPR, UK GDPR or the Swiss FADP is applicable, and the Processing of Photographer Data by opono.net” (or by a Sub-Processor) includes transfer of Photographer Data (either directly or through an onward transfer) to a third country outside the EEA, the UK and Switzerland that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law (the GDPR (Article 46), Türkiye, UK GDPR (Article 46) or Swiss FADP (as applicable)) for the lawful transfer of Photographer Data under is in place.
    2. When Photographer and opono.net“, or opono.net” and or its Sub-Processor relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then:
      1. transfer of Photographer Data from the EEA the terms set forth in Annex IV shall apply.
      2. transfer of Photographer Data from the UK, the terms set forth in Annex V shall apply; and
      3. transfer of Photographer Data from Switzerland, the terms set forth in Annex VI shall apply.
  8. TERM, TERMINATION AND CONFLICT
    1. This DPA shall be effective as of the Effective Date (as defined in the agreement) and shall remain in force until the Agreement terminates or as long as opono.net” processes Personal Data.
    2. opono.net” shall be entitled to terminate this DPA or cease the Processing of Photographer Data in the event that Processing of Photographer Data under the instructions or this DPA infringe applicable legal requirements and opono.net” notified the Photographer of such infringement and the Photographer did not cure such infringement within 10-days. Alternately, opono.net” may, in its sole discretion, suspend the processing of the Personal Data until such infringement is cured without terminating the DPA. Following the termination of this DPA, opono.net” shall, at the choice of the Photographer, delete all Photographer Data processed on behalf of the Photographer and certify to the Photographer that it has done so, or, return all Photographer Data to the Photographer and delete existing copies, unless applicable law or regulatory requirements requires that opono.net“s.com continue to store Photographer Data. Until the Photographer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Photographer™s choice shall be provided in writing to opono.net“, following effect of termination.
    3. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

ANNEX I

DETAILS OF PROCESSING

This Annex includes certain details of the Processing of Personal Data as required under the Data Protection Laws.

Categories of Data Subjects:

  • Photographers;
  • Customers;

Categories of Personal Data:

  • Customer photographs and contact information .
  • Photographer contact information if applicable .

Special Categories of Personal Data:

  • Nude Customer photographs, if any.
  • Child Customer photographs, if any

Nature of the processing:

Collection, storage, organization, communication, transfer, host and other uses in performance of the Services as set out in the Agreement.

Purpose(s) of Processing:

To provide the Service.

Retention Period:

For as long as is necessary to provide the Service by opono.net“; provided there is no legal obligation to retain the Personal Data post termination or unless otherwise requested by the Photographer.

Process Frequency:

Continuous basis

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES

General Background:

This Technical and Organizational Measures Annex sets out the measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, the measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the measures taken for user identification and authorization as well as the measures taken for the protection of data during storage and during transmission.

(II) Specification

System Access Control

Access to the Company™s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. The Company has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access or use to Personal Data, all in accordance with such employee™s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. The Company uses automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.

Physical Access Control

The Company ensures the protection of the data servers which store the Personal Data for the Company from unwanted physical access.

The data processed by the Company is stored on Hostinger’s servers and AWS servers which are located in the TÜRKİYE, EU, the US and Australia. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. The Company also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access the Company™s offices by using security locks and an alarm system, amongst other measures as well.

Data Access Control

User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Furthermore, the Company conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. The Company revokes access to Personal Data immediately upon termination of employment. Authorized individuals can only access Personal Data that are located in their individual profiles.

Organizational and Operational Security

The Company puts a lot of effort and invests a lot of its resources into ensuring that the Company™s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. The Company strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, the Company has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable Company hardware and software, in order to protect against malicious software.

Transfer Control

The Company will conduct transfer impact assessments (” TIA “) if required by applicable law with respect to all transfers of Personal Data and is able to share the TIA upon a Photographer™s or Customer™s request. The purpose of a transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of such Personal Data or during its transportation or storage in the applicable data center. Furthermore, any and all transfers of the Personal Data (either between the Visitors, the Photographers, the Customers, the Company™s service providers and the Company™s servers) is secured and encrypted. Default encryption is implemented in transit and at rest.

Availability Control

The Company maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, the Company™s servers include an automated backup procedure. The Company also conducts regular controls of the condition and labelling of data storage devices for data security. The Company ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.

Data Retention

Personal Data is retained for as long as needed for us to provide our Service or as required under applicable laws.

Job Control, Third-Party Contractors And Service Provider

All of the Company™s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee™s obligation or non-compliance with the Company™s policies, the Company implements certain repercussions in order to ensure compliance with the Company™s policies. In addition, prior to the Company™s engagement with third party contractors, the Company undertakes diligence reviews of such third-party contractors. The Company agrees with third party contractors on effective rights of control with respect to any Personal Data processed on behalf of the Company. The Company ensures that it enters into data protection agreements with all of its clients and service providers.

Data Subject Request

The Company has an online mechanism to enable individuals to submit a data subject request (“DSR“), furthermore, the Company has implemented internal policies to handle DSRs, subject to applicable data protection laws and contractual obligations.

Contractual Obligations

The Company has ensured all documents, including without limitations, agreements (including online agreements) and privacy policies are compliant with applicable Data Protection Regulation, including, by implementing Data Processing Agreements and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).

Additional Safeguards

Measures and assurances regarding U.S. government surveillance (” Additional Safeguards “) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (” Schrems II“), these measures include the following:

encryption both in transit and at rest;

  • As of the date included in the “Last Updated” header above, the Company has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
  • No court has found the Company to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C §¯1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
  • The Company will not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
  • The Company will use all available legal mechanisms to challenge any demands for data access through any national security process that it receives, as well as any non-disclosure provisions attached thereto.
  • The Company will notify Photographer (if required and as applicable) if it can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.

ANNEX IV

EU INTERNATIONAL TRANSFERS AND SCC

  1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to the transfer of Photographer Data from the EEA to other countries that are not deemed as Adequate Countries.
  2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Photographer as the data controller of the Photographer Data and opono.net” is the data processor of the Photographer Data.
  3. The parties agree that for the purpose of transfer of Photographer Data between Photographer (as Data Exporter) and opono.net“(as Data Importer), the following shall apply:
    1. Clause 7 of the Standard Contractual Clauses shall not be applicable.
    2. In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-Processor changes shall be as set forth in the Sub-Processing Section of the DPA.
    3. In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
    4. In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Photographer is established (where applicable).
    5. In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
  4. Annex I.A of the Standard Contractual Clauses shall be completed as follows:
    1. Data Exporter“: Photographer
    2. Data Importer“: opono.net
    3. Roles: (A) With respect to Module Two: (i) Data Exporter is a data controller and (ii) the Data Importer is a data processor.
    4. Data Exporter and Data Importer Contact details: As detailed in the Agreement.
    5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
  5. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
    1. The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties™ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.
    2. The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.
    3. The sub-processor which personal data is transferred are listed in Annex III.
  1. Annex I.Cof the Standard Contractual Clauses shall be completed as follows:the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.
  2. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
  3. Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.
  4. Transfers to the US:Measures and assurances regarding US government surveillance (“Additional Safeguards“) are further detailed in Annex II.

ANNEX V

UK INTERNATIONAL TRANSFERS AND SCC

  1. The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses , and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Photographer Data from the UK to other countries that are not deemed as Adequate Countries.
  2. This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Photographer Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.
  3. Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
  4. This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
  5. Amendments to the UK Standard Contractual Clauses:
    1. Part 1: Tables
      1. Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above.
      2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.
      3. Table 3 Appendix Information:

Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.

Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.

Annex III: List of Sub processors: shall be completed as set forth in Annex III above.

  1. Table 4 ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.

ANNEX VI

SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:

  • The term ™Member State™ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
  • The clauses in the DPA protect the Photographer Data of legal entities until the entry into force of the upcoming revised FDPA.
  • All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.
  • References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
  • In respect of data transfers governed by Swiss Data Protection Laws, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
  • The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.

ANNEX VII

US DATA PROTECTION LAWS ADDENDUM

This TÜRKİYE Privacy Law Addendum (“TÜRKİYE Addendum“) adds specification applicable to TÜRKİYE Data Protection Laws. All terms used but not defined in this TÜRKİYE Addendum shall have the meaning set forth in the DPA.

  1. CCPA Specifications:

1.1. For the purpose of the CCPA, Photographer is the Business and opono.net” is the Service Provider.

1.2. opono.net“hall Process Photographer Data on behalf of the Photographer as a Service Provider under the CCPA and shall not: (i) Sell or Share the Photographer Data; (ii) retain, use or disclose the Photographer Data for any purpose other than for a business purpose specified in the Agreement; or (iii) combine the Photographer Data with other Personal Data that it receives from, or on behalf of, another Photographer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.

1.3. if, and to the extent applicable, opono.net” shall assist Photographer in respect of consumer request to limit the use of its Sensitive Personal Information (“SPI”).

1.4. opono.net” certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling any Photographer Data.

  1. US Applicable States Specifications:

2.2. opono.net” agrees to notify the Photographer if opono.net“makes a determination that it can no longer meet its obligations under this Türkiye Data Protection Law.

2.3. opono.net” shall provide information necessary to enable the Photographer to conduct and document any data protection assessments required by TÜRKİYE Data Protection Laws. Notwithstanding the above,opono.net” is responsible for only the measures allocated to it.

2.4. opono.net” shall provide assistance and procures that its subcontractors will provide assistance as Photographer may reasonably request, where and to the extent applicable, in connection with any obligation by Photographer to respond to Consumer™s requests for exercising their rights under the TÜRKİYE Data Protection Laws. Including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Photographer’s respective obligation to respond. opono.net“acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for Processing the Photographer Data.

2.5. Each party shall, taking into account the context of Processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk a clear allocation of the responsibilities between them to implement these measures. opono.net” technical measures are detailed in the DPA and Annexes above.

2.6. The Processing instructions, including the nature of Processing, purpose of Processing, the duration of Processing, the type of personal data and categories of data subjects, are set forth in Annex I above.

2.7. In addition to the Audit rights under Section 8 of the DPA, under Türkiye Data Protection Laws and subject to Photographer™s consent, opono.net“may alternately, in response to Photographer™s on premises audit request, initiate a third-party auditor to verify opono.net“™ compliance with its obligations under this Türkiye Data Protection Laws. During such an audit, opono.net“will make available to the third-party auditor all information necessary to demonstrate such compliance.

2.8. Each party will comply with the requirements set forth under TÜRKİYE Data Protection Laws with regards to processing of de-identified data, as such term is defined under the applicable TÜRKİYE Data Protection Law.

  1. When processing Photographer Data or Usage Data (as defined in the Agreement) for the permitted purposes under TÜRKİYE Data Protection Laws opono.net” shall ensure it complies with applicable laws and shall be liable for such Processing activities.
Shopping Basket
error: Content is protected !!