GDPR DATA PROCESSING AGREEMENT (DPA)
Last updated: 21.01.2026
This Data Processing Agreement (“Agreement”) forms part of any contract for services between Piper&Muse Photography (also trading as Piper & Muse Photography) (“Data Controller”) and the third party or client identified below (“Data Processor”) and reflects the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Parties
Data Controller:
Piper&Muse Photography
Email: piperandmusephotography@outlook.com
2. Purpose of Processing
The Data Processor shall process personal data only for the purpose of supporting the delivery of photography services, including but not limited to:
- Wedding, family, couple, or proposal photography services
- Client communication and coordination
- Online gallery hosting and delivery
- Album and print production
- Business administration directly related to client services
3. Nature and Duration of Processing
- Nature: Collection, storage, viewing, transfer, and deletion of personal data
- Duration: For the duration of the service agreement and only as long as necessary to fulfil contractual or legal obligations
4. Types of Personal Data
Personal data processed may include:
- Names of clients and participants
- Email addresses and telephone numbers
- Postal addresses (where required for delivery)
- Event details (dates, venues, preferences)
- Photographic images and visual data
- Online identifiers (IP addresses where applicable)
5. Categories of Data Subjects
- Clients of Piper&Kin Photography
- Wedding guests or family members appearing in images
- Children (where applicable, with parental consent)
6. Obligations of the Data Controller
The Data Controller shall:
- Ensure personal data is processed lawfully, fairly, and transparently
- Ensure appropriate consent or lawful basis is in place
- Provide instructions to the Data Processor regarding data handling
- Maintain records of processing activities
7. Obligations of the Data Processor
The Data Processor agrees to:
- Process personal data only on documented instructions from the Data Controller
- Ensure confidentiality of all personal data
- Take appropriate technical and organisational measures to protect personal data
- Ensure staff with access to data are subject to confidentiality obligations
- Not engage another sub-processor without prior written authorisation
- Assist the Data Controller in responding to data subject requests
- Assist with data protection impact assessments where required
- Notify the Data Controller without undue delay of any personal data breach
8. Sub-Processors
Where sub-processors are engaged, the Data Processor shall ensure that equivalent data protection obligations are imposed and remains fully liable for their actions.
9. Data Security
The Data Processor shall implement appropriate safeguards including:
- Secure password-protected systems
- Encrypted data storage where possible
- Restricted access to personal data
- Secure transfer methods
10. International Transfers
Personal data shall not be transferred outside the UK without appropriate safeguards in place and written approval from the Data Controller.
11. Data Subject Rights
The Data Processor shall promptly notify the Data Controller of any request received from a data subject and shall not respond directly unless authorised.
12. Data Breach Management
In the event of a personal data breach, the Data Processor shall notify the Data Controller within 48 hours and provide full cooperation to investigate and remediate the breach.
13. Return or Deletion of Data
Upon termination of services, the Data Processor shall, at the choice of the Data Controller, delete or return all personal data unless retention is required by law.
14. Audits and Compliance
The Data Controller may audit the Data Processor’s compliance with this Agreement upon reasonable notice.
15. Governing Law
This Agreement shall be governed by and construed in accordance with the laws of England and Wales..
