Unlimited storage & easy-to-use mobile app. Impress the heck out of clients.
Learn More



GDPR and PhotoShelter

The General Data Protection Regulation, or GDPR, is a European privacy law set to go into effect on May 25, 2018. The GDPR regulates how individuals and organizations may collect, use, and retain personal data, which affects PhotoShelter and sites run on PhotoShelter's platform. This guide covers some of what PhotoShelter is doing to comply with GDPR and points you should be aware of as a PhotoShelter site owner.

* * *

Who is affected by GDPR?
GDPR affects both organizations based in the EU and organizations involved in processing EU citizens' personal data. Since people in the EU can visit sites hosted by PhotoShelter, this means PhotoShelter and its customers are both subject to the GDPR.

* * *

What is considered “personal data”?
Under the GDPR, personal data is any information about a specific person. This broad definition includes not only traditional personal data—e.g., dates of birth, names, physical addresses, email addresses—but location data, photography with identifiable individuals present, financial information, and much more.

* * *

What is PhotoShelter doing to ensure compliance with the GDPR?
At PhotoShelter, we're working across the company to ensure we're prepared for the GDPR. This includes reviewing how we store and use data about our customers and on behalf of our customers. We’re also doing the following:

  1. Updating our Terms of Service and Privacy Policy to be more transparent about our use and treatment of data. These updates will include the addition of data processing agreement, or DPA, provisions, and will be made before the GDPR takes effect.
  2. Implementing internal processes to help our customers comply with EU data subject rights.
  3. Determining what, if any, product changes need to take place.

* * *

Does PhotoShelter need to store data in the EU?
As with existing law, the GDPR requires that certain safeguards be put in place when transferring personal data outside the EU. We already self-certified to the EU-US Privacy Shield, which allows us to lawfully transfer EU personal data to our US-based datacenters. As always, you can contact us to request that we remove your data from our system. We can also help if your customers or visitors ask you to delete data that we store in our system on your behalf.

* * *

GDPR Best Practices for PhotoShelter sites
While we can’t offer legal advice, here are some best practices that will help you get started with your GDPR compliance. Personal data audit

  • Review your website and look for areas where you collect personal data, bearing in mind the modified GDPR definition of “personal data.”

Some questions to consider:

  • Do you collect personal data on your site using third-party services? (e.g., Google Analytics, a Form Block connected to MailChimp and Google Drive). You should read the privacy policies of those services.
  • Do you download or export data from your site into another system?
  • Do you combine the personal data you collect with other sources of data?
  • Are you gathering information you don’t need?

Create (or update) your privacy policy.

Once you’ve identified your data collection activities, consider making a page on your site that documents:

What information you collect.
Why you collect that information.
Who you share that information with.
Any other information required under the GDPR.

Posting a privacy policy gives visitors more clarity about your use of their information.