GDPR

GDPR Overview

The aim of the General Data Protection Regulation (GDPR) imposed by the EU is to have one set of data protection rules for all companies operating in the EU, wherever they are based. It is scheduled to go into effect on May 25, 2018.

While we have always worked to ensure that we protect all personally identifiable information entrusted with us by our customers and their clients, GDPR is now holding us to a higher standard. To that end, Zenfolio abides by the policy that is in the best interest of individual photographers, their clients, and Zenfolio to protect the rights of people providing data.

We are committed to ensuring that photographers and their clients are clear about what data we collect and why we collect it, have access to the personal data collected, and have the ability to request timely erasure of the data. This article provides critical information for photographers and their clients on how Zenfolio handles their data.

In summary, the GDPR includes the following rights for individuals:

- the right to be informed
- the right to consent
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling.


For more details, we strongly recommend visiting the EU website and other resources:  

FAQs

What steps has Zenfolio taken in order to ensure compliance with GDPR regulations by the deadline?
  • Zenfolio has thoroughly researched the new requirements to ensure compliance and continues to monitor changes and new information as it becomes available.
  • We have added an opt-in checkbox for clients who wish to create new accounts with Zenfolio photographers.
  • We have updated our photographer-facing Terms of Use.
  • We have updated our client-facing User Agreement that appears on all websites.

Is there a GDPR compliance certificate available from the EU?
Not at present.

When will this become law?
May 25, 2018

What is the primary purpose?
The origin of GDPR was an attempt to consolidate an antiquated compliance environment of EU data protection authorities with 28 different sets of guidelines into one clear and concise set of guidelines. Most of the “rules” enacted with GDPR have already been in effect to one extent or another. With the previous guidelines, people did not feel they had complete control over the information they provide online.

Ultimately, the purpose is to reinstate confidence and exhibit control over your personal data by protecting the personal data as well as the rights around the usage of the data, and ensuring transparency about the use of the data. The GDPR guidelines are centered on nine key principles (see list of rights being protected above).


Who owns and/or is responsible for the data held by Zenfolio?
Zenfolio owns and is responsible for photographers’ data, and photographers own and are responsible for their clients’ data.

As a photographer, how can I ensure that my Zenfolio website is in compliance with GDPR requirements?
Best practices for GDPR compliance include the following:
  • Inform your clients and explain the intended purpose of the data being collected. Be as transparent as possible: Use plain language and say why you are processing the data, how long it will be stored and with whom you will share the data
  • Only maintain data required to conduct your business; purge any personally identifiable information that is no longer required
  • Obtain clear consent to process the data -- ensure that you receive parental consent for processing data of minors/children
  • Inform your clients of any known data breaches as soon as possible
  • Be prepared to remove client data upon request
  • Do not share information collected from clients without their express consent and provide them with the right to opt-out of direct marketing of their data
  • Stay up to date of possible changes to GDPR requirements
  • Communicate ideas/questions re: GDPR to Zenfolio Customer Support at this link
  • Stay up to date on GDPR and Zenfolio at this Forum Discussion link

As a photographer, how do I protect client data?
Zenfolio recommends obtaining express written consent from the client to upload photos, especially because many client photos contain GDPR-protected information (health, race, age, gender, sexual orientation, religion or political beliefs, for example). Additionally, we recommend adhering to best practices when creating client galleries and their passwords -- see this link for more information. 

As a photographer, how can I ensure that the current information I have in my account will be in compliance?
  • Carefully review, and then maintain, only client data that is required for you to conduct business
  • Delete any personally identifiable information that is no longer required to conduct business

As a photographer, how can I ensure that future information I collect will be in compliance?
Zenfolio has implemented the following changes to ensure that data collected will be in compliance with GDPR:
  • Adding a mandatory opt-in checkbox that clients have read and acknowledge the User Agreement when creating accounts
  • Updates to the User Agreement to include GDPR-specific changes

Where are photographer and client data on Zenfolio stored?
The majority of data collected resides on our secure corporate servers located in the US. Certain banking and merchant information is shared with the respective financial institution in order to process payments and refunds.

As a photographer, if my client requests deletion of information, but I want to keep it, what are my obligations? ‚Äč
GDPR provides the “right to be forgotten.”  Zenfolio highly recommends that you delete the information upon request, to the extent that it is not required by law or for your business. As a minimum, the data should be removed from your website. Alternatively, you may wish to institute best practices for removing any personally identifiable information or making data anonymous. Note that it is the photographer’s responsibility to remain informed and in compliance with GDPR regulations.


 

Important information for photographers re: both YOUR Account and your CLIENT'S account

    
What data does Zenfolio collect on PHOTOGRAPHER Accounts?
Name
Email
Alternate Email
Password
Account Creation Date
Time, Location, and IP address of logins
Order History (subscriptions and photo product e-commerce transactions)
Billing Address
Credit Card Info
PayPal Address
ACH Information
Mailing Address
Billing Address
Phone Number(s)
Tax/VAT ID


What data does Zenfolio collect on CLIENT Accounts?
Name
Email
Password
Account Creation Date
Time, Location, and IP Address of Logins
Order History
Billing Address
Credit Card Info
Email Subscriptions
- email campaigns from the photographer (opt-out possible)
- order-related emails
- personal communication from the photographer
Browser, Operating System and Device information

 

What is the process for data deletion?


Deletion of PHOTOGRAPHER account
  1. Contact Zenfolio Customer Support at this link and provide the following information: Account information to verify identity and ownership
  2. Zenfolio Customer Support will close and purge the account and request database deletion. Please note that while data will be removed visibly from our site, we may retain personal information in our internal database required to operate our business, or by law.
  3. Zenfolio Customer Support will send a confirmation email to account holder

Deletion of CLIENT account
  1. Photographer to contact Zenfolio Customer Support at this link and provide the following information: Account information (email address)
  2. Zenfolio Customer Support will close and purge the account and request database deletion. Please note that while data will be removed visibly from our site, we may retain personal information in our internal database required to operate our business, or by law.
  3. Zenfolio Customer Support will send a confirmation email to the photographer.

IMPORTANT NOTE: Zenfolio will not interfere with client/photographer relationships. It is the Photographer’s responsibility to communicate with the Client.


 

What is the Process for data disclosure?


RE: PHOTOGRAPHER account
  1. Contact Zenfolio Customer Support at this link and provide the following information: Account Information to verify identity and ownership
  2. Zenfolio Customer Support will provide a report to the authorized account holder that includes all information collected/stored


RE:  CLIENT account
  1. Photographer to contact Zenfolio Customer Support at this link and provide the following information: Account Information (email address)
  2. Zenfolio Customer Support will provide a report to photographer that includes all information collected/stored

IMPORTANT NOTE:. Zenfolio will not interfere with client/photographer relationships. It is Photographer’s responsibility to communicate with the Client.


 

Zenfolio responsibilities


RE: PHOTOGRAPHER Accounts
Upon request, Zenfolio will disclose or delete Photographer's account.

RE: CLIENT Accounts
Upon request, Zenfolio will work with the photographer to facilitate Client account info disclosure or deletion. In addition Zenfolio will make all reasonable efforts to keep photographers informed of any changes to GDPR regulations. Zenfolio will strive to remain in compliance with GDPR regulations at all times.

 

Photographer responsibilities

RE: CLIENT Accounts

Photographers own and are responsible for all data collected through their website. If the Client requests either disclosure or deletion of information it is the photographer’s responsibility to contact Zenfolio Customer Support at this link and request it.

Zenfolio recommends, but does not require or provide features for collecting/storing such data, that if photographers choose to collect client data, they also keep the following records:
  • Name and contact details
  • Reasons for data processing/collecting, client consent
  • Description of categories of data subjects and personal data
  • Name and purpose of organizations with whom the photographer shares data
  • Transfer of data to another country or organization
  • Time limit for removal of data, if possible
  • Description of security measures used when processing, if possible  

Important information for CLIENTS of photographers

If you are a client of a photographer who uses the Zenfolio platform, the photographer is the responsible party -- we recommend contacting them directly with any requests for data access, collection details and procedures, or deletion. Zenfolio will then work closely with the authorized account holder to process any and all GDPR requests. In the event that you have difficulty contacting the photographer, please contact our Customer Support Team at this link with details. We will make all reasonable attempts to contact the photographer on your behalf. Please note, however, that we will not make any change to an account holder’s data without express authorization from the account holder.