General Data Protection Policy

PURPOSE: The purpose of this policy (“Policy”) is to establish baseline data security standards and data privacy requirements for any vendor (“Vendor”) that performs services for Getty Images, Inc., or any of its affiliates (“Getty Images”). Vendor will comply with the privacy provisions set forth in this Policy (“Requirements”) if Vendor accesses, collects, stores, transmits, discloses, processes, and/or otherwise uses any information that (i) independently identifies a distinct individual, (ii) in combination with information that a party has at its reasonable disposal, can be used to identify a distinct individual, or (iii) would be considered personal information as such term/concept is defined by Data Protection Legislation (“Personal Data”).

SCOPE: Vendor must handle, treat, and otherwise protect Getty Images Personal Data in accordance with this Policy and any contractual agreement between such Vendor and Getty Images. If there is a direct conflict between any term of this Policy and the terms of a written contract between Vendor and Getty Images, the terms of the written contract will prevail to the extent of the conflict.      

  1. General Terms
    1. “Data Protection Legislation” shall mean all applicable laws relating to privacy and the processing of personal data that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by the supervisory authorities.  Data Protection Legislation includes, but is not limited to, (1) EU: The General Data Protection Regulation (Regulation (EU) 2016/679) or “GDPR”) and/or any corresponding or equivalent national laws, rules and regulations; (2) in member states of the European Union: the Data Protection Directive or the GDPR, and all relevant member state laws, rule and regulations giving effect to or corresponding with any of them; (3) when effective, the Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications); (4) UK: the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018  (the “UK GDPR”); the Data Protection Act 2018 (the “DPA 2018”); the Privacy and Electronic Communications (EC Directive) Regulations 2003 as it continues to have effect under section 2 of the European Union (Withdrawal) Act 2018 (“PECR”); and any other laws in force in the UK from time to time applicable (in whole or in part) to the Processing of Personal Data; (5) US: The Texas Business and Commerce Code – Capture or Use of Biometric Identifier; (6) the Illinois Biometric Information Privacy Act; (7) the California Consumer Privacy Act (CCPA); and (8) Brazil: The Brazil General Law on Personal Data Protection (LGPD); any judicial or administrative interpretation of any of the above, and any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued, in each case, by any relevant data privacy authority;   and any other successor or other laws, rules, and regulations applicable to any of the above whether in force at the Effective Date or thereafter.
    1. Materiality. If Vendor fails to comply with the Requirements, then Getty Images is entitled to either suspend Vendor’s performance under the Agreement or terminate this Agreement with immediate effect, without any penalty, liability, or further obligation.
    1.  “Good Industry Practice” shall mean, in relation to any activity and under any circumstance, exercising the same skill, expertise and judgement and using facilities and resources of a similar quality as would be expected from a person who:(a) is skilled and experienced in providing the services in question, seeking in good faith to comply with his contractual obligations and seeking to avoid liability arising under any duty of care that might reasonably apply;(b) takes all proper and reasonable care and is diligent in performing his obligations; and (c) complies with all applicable legislation and any applicable industry standards including any recognized industry quality standards and applicable law.
    1. “data controller”, “data processor”, “subprocessor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organizational measures” shall be interpreted in accordance with Directive 95/46/EC, or other applicable Data Protection Legislation, in the relevant jurisdiction.
    1. “EU standard contractual clauses” shall mean means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
    1. “UK standard contractual clauses” means standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR.
  2. Scope. The parties agree that Getty Images is a data controller and that Vendor is a data processor in relation to personal data that Vendor processes on behalf of Getty Images in the course of providing the services under the Agreement (the “Services”). The subject-matter of the data processing, the types of personal data processed, and the categories of data subjects will be defined by, and/or limited to that necessary to carry out the Services described in, the Agreement and any applicable Statement of Work (“SOW”). The processing will be carried out until the date Vendor ceases to provide the Services to Getty Images. 
  3. Data Protection.  In respect of personal data processed in the course of providing the Services, Vendor shall adhere to the following requirements:
    1. Vendor will process the personal data only in accordance with the written instructions from Getty Images and only in compliance with Data Protection Legislation. Such instructions may be specific or of a general nature as set out in this Policy, the Agreement, an SOW, or as otherwise notified by Getty Images to Vendor in writing from time to time. The nature and purposes of the processing shall be limited that that necessary to carry out such instructions, and not for Vendor’s own purposes, or for any other purposes except as required by law. If Vendor is required by law to process the personal data for any other purpose, Vendor will inform Getty Images of such requirement prior to the processing unless prohibited by law from doing so.
    1. Vendor will process the personal data only to the extent, and in such manner, as is necessary for the provision of the Services. Vendor may only correct, delete, or block the personal data processed on behalf of Getty Images as and when instructed to do so by Getty Images.
    1. Vendor will implement and maintain appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with the Data Protection Legislation and Good Industry Practice. Such measures shall include, as appropriate:
      1. the pseudonymisation and encryption of personal data;
      2. ii. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. iii. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    1. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
    1. Vendor will not give access to or transfer any personal data to any third party (including any affiliates, group companies or sub-contractors) without the prior written consent of Getty Images. Where Getty Images does consent to Vendor engaging a sub-contractor to carry out any part of the Services, Vendor must ensure the reliability and competence of such third party, its employees or agents who may have access to the personal data processed in the provision of the Services, and must include in any contract with such third party provisions in favor of Getty Images which are equivalent to those in this Policy and the Agreement and as are required by applicable Data Protection Legislation. For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub-processing agreement or any applicable Data Protection Legislation, Vendor will remain fully liable to Getty Images for the fulfilment of its obligations under this Policy and the Vendor.
    1. Vendor will take reasonable steps to ensure the reliability and competence of any Vendor personnel who have access to the personal data.Vendor will ensure that all Vendor personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this Policy.
    1. Vendor will take all reasonable steps to assist Getty Images in meeting Getty Images’ obligations under applicable Data Protection Legislation, including Getty Images’ obligations to respond to requests by data subjects to exercise their rights with respect to personal data, adhere to data security obligations, respond to data breaches and other incidents involving personal data, conduct data protection impact assessments, and consult with supervisory authorities. Vendor will promptly inform Getty Images in writing if it receives: (i) a request from a data subject concerning any personal data; or (ii) a complaint, communication, or request relating to Getty Images’ obligations under Data Protection Legislation.
    2. Vendor will not retain any of the personal data for longer than is necessary to provide the Services.  At the end of the Services, or upon Getty Images’ request, Vendor will securely destroy or return (at Getty Images’ election) the personal data to Getty Images.
    3. With regard to personal data related to data subjects located in the European Economic Area, Vendor will not process such personal data in a location outside the European Economic Area, except:
      1. with the prior written consent of Getty Images and on the documented instructions of Getty Images;
      2. by taking such steps as may reasonably be required by Getty Images on an ongoing basis to ensure there is adequate protection for such personal data in accordance with applicable Data Protection Legislation; and
      3. iii.            pursuant to the EU standard contractual clauses as can be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN and as may be updated from time to time and which may include additional safeguards that may be required by Getty Images. The parties acknowledge and agree that for so long as it is lawfully permitted to rely on the standard contractual clauses for the transfer of personal data to controllers set out in the European Commission’s Decision 2004/915/EC of 27 December 2004 (“Prior C2C SCCs”) for transfers of personal data from the United Kingdom, the Prior C2C SCCs shall apply between the parties. If the preceding sentence no longer applies, then the parties acknowledge and agree that the UK standard contractual clauses shall be deemed incorporated into this Policy.
    • Vendor will allow Getty Images and its respective auditors or authorized agents to conduct audits and inspections during the term of the Agreement and for 12 months thereafter, which shall include providing access to the premises, resources and personnel used by Vendor in connection with the provision of the Services and provide all reasonable assistance in order to assist Getty Images in exercising its audit rights under this paragraph. The purposes of an audit pursuant to this paragraph include to verify that Vendor is processing personal data in accordance with its obligations under this Policy, the Agreement, and applicable Data Protection Legislation.
    • If Vendor becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Vendor in the course of providing the Services under the Agreement (a “Security Breach“),
      • it shall immediately and without undue delay notify Getty Images and provide Getty Images with: a detailed description of the Security Breach; the type of data that was the subject of the Security Breach; the identity of each affected person, and the steps Vendor takes in order to mitigate and remediate such Security Breach, in each case as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Getty Images may reasonably request relating to the Security Breach);
      • take action immediately, at its own expense, to investigate the Security Breach and to identify, prevent and mitigate the effects of the Security Breach and, with the prior written approval of Getty Images, to carry out any recovery or other action necessary to remedy the Security Breach;
      • not release or publish any filing, communication, notice, press release, or report concerning the Security Breach without Getty Images’ prior written approval (except where it is required to do so by law).
    • If the European Commission lays down, or an applicable supervisory authority adopts, standard contractual clauses for the matters referred to in Article 28(3) and Article 28(4) of the General Data Protection Regulation pursuant to Article 28(7) or Article 28(8) of the General Data Protection Regulation (as appropriate) and Getty Images notifies Vendor that it wishes to incorporate any element of any such standard contractual clauses into this Schedule, Vendor shall agree to changes as required by Getty Images in order to incorporate such elements in writing.
    • Vendor shall comply, at all times, with and assist Getty Images in complying with its applicable obligations under, Data Protection Legislation. Vendor shall provide any information requested by Getty Images to demonstrate compliance with the obligations set out in this Policy. Vendor shall not perform its obligations under the Agreement or this Policy in such a way as to cause Getty Images to breach any of its obligations under applicable Data Protection Legislation.
    • Vendor will notify Getty Images immediately if, in Vendor’s opinion, an instruction for the processing of personal data given by Getty Images infringes applicable Data Protection Legislation.
    • In addition to those restrictions set out in Section 3, Vendor will not: (a) Sell Personal Data; or (b) otherwise collect, retain, use or disclose Personal Data outside of the direct business relationship between Vendor and Getty Images; unless a legal requirement obligates Vendor to engage in different processing of the data. In such case, Vendor shall inform Getty Images of that legal requirement before commencing the different Processing Purposes, unless that legal requirement prohibits providing such information on important grounds of public interest. Vendor certifies that it understands and will comply with these prohibitions. “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing or by electronic or other means, Personal Data by Vendor to a third party for monetary or any other valuable consideration, such as data, services or discounts on fees.

General Data Protection policy V. 12-3-21