How SpotMyPhotos protects user privacy under GDPR (General Data Protection Regulation)

Effective Date: September 15th, 2023

From our founding in 2012, SpotMyPhotos has been built with privacy at its core – and our privacy-first data practices have always been in line with the spirit and fundamentals of GDPR. The principles of anonymization, data minimization, purpose limitation, and security of the GDPR are aligned with our core values. With that as a foundation, we fully support our users in complying with the General Data Protection Regulation (GDPR or (EU) 2016/679), which came into affect on May 25, 2018.

This article is meant to be a resource to help our users understand the scope of the GDPR in relation to using SpotMyPhotos. It does not constitute legal advice, representations, or warranties of SpotMyPhotos and we are not responsible for any reliance on the information below. We encourage you to seek professional legal advice if you have questions about how the GDPR may affect your organization and procedures.

The GDPR protects any personal data relating to an individual by limiting how personal data is collected, handled, and distributed. The GDPR regulates two types of persons that process personal data:

Processors are entities who process personal data on behalf of data controllers. Processors have obligations including implementing appropriate technical and organizational security measures that meet the requirements of the GDPR. In this case, SpotMyPhotos is a processor.

Controllers are people who determine the purpose and means of processing of personal data. Controllers are primarily responsible for compliance with the GDPR, including in relation to personal data processed by their processors. For GDPR, SpotMyPhotos users (e.g. photographers and event professionals) are the controllers.

As a processor, we’ve prepared our technology and team to ensure compliance with the GDPR’s requirements by implementing appropriate technical and organizational measures to ensure that personal data processed through SpotMyPhotos is secured, and to notify users of a personal data breach as quickly as possible, to ensure they can comply with their own data breach notification obligations. From a technical perspective, all our servers are fire-walled and kept updated with the latest security and testing protocols. We are also committed to maintaining transparency into our approach around the secure handling of personal data, and provide access to personal data for our users in the event data needs to be moved, corrected, or deleted.

While adherence to the GDPR requirements is ultimately the responsibility of our users, we have also taken initiatives to assist SpotMyPhotos users to comply with their own obligations as Controllers under the GDPR by revising our End User License Agreement and Privacy Policy to gather consent from guests to process their personal data where required by GDPR, as well as implementing workflows to help users respond quickly to data requests for access, rectification, erasure, and retrieval of personal data which is being processed by SpotMyPhotos.

The processing activities conducted by a processor (like SpotMyPhotos) on behalf of a controller (our users) must be governed by a written contract, or other binding legal act, which complies with the GDPR. Our End User License Agreement (EULA) is this contract. All users (e.g. event professionals) must digitally accept the terms of the EULA in order to use the SpotMyPhotos. Changes to the EULA will be displayed to you via a message on your SpotMyPhotos dashboard. We will notify users of changes to our privacy policy in the same way. SpotMyPhotos requires third parties that process personal data on our behalf to sign data processing agreements that comply with the GDPR. When SpotMyPhotos transfers European individuals’ personal data outside of the European Union, we use one of the European Commission-approved transfer mechanisms.