GETTY IMAGES DATA PROTECTIONADDENDUM
Effective starting:the earlier of (i) March 7, 2025, and (ii) the date the applicable premium access agreement, editorial subscription agreement, Media Manager, Generative AI agreement or any other content or data license, memorandum of agreement, purchase orders, releases or other means of ordering goods or services or entering into any arrangement with GettyImages, as amended from time to time (each an "Agreement") are effective.
This GettyImages Data Protection Addendum (“DPA”) supplements the Agreement, or other agreement in place between Customer and GettyImages covering Customer’s use of GettyImages' products and services or otherwise entering into any arrangement with GettyImages where Personal Data may be processed by a party. Unless otherwise defined in this DPA or in the applicable Agreement, all capitalized terms used in this DPA will have the meanings given to them in section 2.0 of this DPA.
1. CURRENT VERSION; CHANGES AND UPDATES

The current version of this Addendum is 3.9, effective March 2025.

GettyImages may update the terms of this DPA from time to time; provided, however, GettyImages will post on its sites when an update is required as a result of (a) changes in Applicable Privacy Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services.

1.1 DESCRIPTION

The DPA describes the commitments of GettyImages (which, for the sake of clarity, may include any company within the worldwide group of GettyImages companies) to data protection with you pursuant to any Agreement (as may be set out in our current or current (“iStock”) or as otherwise separately entered into with GettyImages or any other of its affiliates, which shall include iStock (“GettyImages” or “we”).

1.2 ACCEPTANCE OF THIS DPA

As used in this DPA, “Licensee” (or “you”) means the company or individual that executed and entered into an Agreement and that incorporates this DPA by reference. Together with the Agreement, this DPA forms part of a binding contract between GettyImages and you.

1.3 SCOPE AND OVERVIEW

  1. This DPA applies to users, corporate and individual, that enter into any Agreement with GettyImages. The particular GettyImages entity with whom you may be contracting will depend on the region in which you live and is set out or may include a GettyImages affiliate like iStockphoto LP. Regardless, this DPA applies to the data processing we may undertake in relation to Personal Data that you may provide or generate through the access to our content and/or use of our systems and tools.
  2. The primary purpose of the collection of Personal Data is to support license subscriptions, which includes licensing content from the creators of the images, videos, and other media that you access from our sites. This includes processing of information to support payments for these licenses via our third‑party payment processor. Additionally, Personal Data may be collected and processed to facilitate the licensing of generative AI content, ensuring compliance with rights management and attribution requirements. Furthermore, if you utilize our digital asset management (DAM) storage services, we may process and store Personal Data that you upload to your DAM (subject to terms and conditions of upload), including metadata and associated user information, to enable secure storage, retrieval, and management of your digital assets.
  3. Because copyright licenses may be for a significant period of time, GettyImages is required to retain certain kinds of information for the duration of those licenses, such as license and download history as well as contact information for the purposes of notifying licensees in the event of any third party claims associated with such content, as well as for our records retention requirements under a variety of laws in the jurisdictions in which we operate.
  4. Additionally, GettyImages may utilize information from your past searches and downloads, in order to present you with similar content that may be of interest to you. As part of your access to the GettyImages services, for the most part you are able to request deletion, obtain a copy of data, or restrict use of personal data, to support your own personal data rights as well as respond to the data access requests of others. It is expected that you will utilize our services in compliance with Applicable Laws and for any privacy related requests that you may have, GettyImages will support you to the extent that such support is required to help facilitate legitimate data subject access requests.
1.4 CONTACT INFORMATION

  1. If you have a privacy concern, complaint, or question, you can contact GettyImages by emailing privacy@gettyimages.com or by phone at +1 206‑925‑5000, or by postal mail at Attn: Data Privacy Group, GettyImages, (US), Inc., 605 5th Avenue South, Suite 400, Seattle, WA 98104, United States.
  2. EU: Our data protection representative for the European Economic Area and Switzerland is located at GettyImages International UC. You can contact them by emailing privacy@gettyimages.com or by phone at 1800 931 768, or by postal mail at Attn: Privacy, GettyImages International, 10 Earlsfort Terrace, Dublin 2, Dublin, D02 T380, Ireland.
  3. UK: Our data protection representative for the UK is located at GettyImages (UK) Limited. You can contact them by emailing privacy@gettyimages.com or by phone at 1800 931 768, or by postal mail at Attn: Privacy, GettyImages (UK) Limited, 101 Bayham Street, London, England NW1 0AG, United Kingdom

2. INTRODUCTION AND DEFINITIONS

This DPA between you and GettyImages explains our obligations in relation to data protection from GettyImages. By downloading content from GettyImages, or using GettyImages services, you accept the terms of this DPA and this DPA forms part of your Agreement. This DPA applies when you act either as a Data Controller, or a Processor on behalf of a Data Controller, when you transfer Personal Data to GettyImages for Data Processing.
  1. Agreement” shall have the meaning as set out the preamble.
  2. Applicable Privacy Law” means any applicable privacy and data protection law(s), including any privacy and data protection(s) laws to which you are subject (including, if and where applicable, U.S. Data Protection Law, EEA/EU Data Protection Laws, Swiss Data Protection Laws, UK Data Protection Laws, the Australian Privacy Act, the Brazilian Lei Geral de Proteção de Dados (General Personal Data Protection Act), the Canadian Personal Information Protection and Electronic Documents Act; the Japanese Act on the Protection of Personal Information and the South Korean Personal Information Protection Act.
  3. Applicable Law” means all laws, statues, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing GettyImages that is of general application to entities operating within the jurisdictions that GettyImages operates or as identified in the Agreement made pursuant to it.
  4. Affiliated Companies” means any legal entities controlling, controlled by or under common control with you.
  5. Data Controller” means the party that has authority over the processing of personal information, determining the purpose for its use and the manner that it is processed.
  6. Data Exporter" means a Party that transfers Personal Data to another Party in accordance with the Agreement.
  7. "Data Importer" means a Party that receives Personal Data from another Party in accordance with the Agreement.
  8. DPA” shall have the meaning as set out in the preamble.
  9. Data Processing”, “Process” and “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  10. Data Processor” means the party that processes Personal Data on behalf of, and under the instruction of, the Data Controller.
  11. Data Protection Authority” means the official body that ensures compliance of the Applicable Privacy Law within its applicable jurisdiction.
  12. Data Subject” means the directly or indirectly identified or identifiable person to whom the Personal Data relates.
  13. Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed, excluding Personal Data, which is encrypted or tokenized, for which the password, token, security key or device to decrypt such Personal Data has not been the subject of any loss or disclosure.
  14. European Economic Area” and “EEA” mean the Member States of the European Union plus Norway, Iceland and Liechtenstein.
  15. General Data Protection Regulation” and “GDPR” means the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the Directive and any equivalent legislation enacted in the United Kingdom.
  16. Personal Data” means any information regulated by Applicable Privacy Law provided by the Data Controller, including information concerning an identified or identifiable individual, such as, name, address, age, gender, income, family status, health records, etc., excluding any data which is encrypted in GettyImages’ systems, and for which GettyImages (or its sub‑processors) do not have the ability to access, nor hold any password, key, device or other means to decrypt or access.
  17. Restricted Transfers” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area (“EEA”) to a country outside the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK’s Data Protection Act 2018.
  18. Services” means the services provided to you by GettyImages under any applicable Agreement that you may have with GettyImages.
  19. Schedule” means the schedules to this DPA.
  20. ܲ‑Pdzǰ” means third‑party Data Processors engaged by GettyImages who has or potentially will have access to, or processes, Personal Data and as set out at Schedule C, Approved Third Party Processors.
  21. EU Standard Contractual Clauses” or “EU SCCs” means (i) where the GDPR applies, the model clauses annexed to the European Commission’s Implementing Decision 2021/914 dated June 4th, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council; and (ii) where the UK GDPR applies, the applicable model data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the , as such standard contractual clauses may be revised or replaced by the European Commission.
  22. "UK Adequacy Finding" means any regulations made by the Secretary of State under Section 17A of the Data Protection Act 2018 that a country, territory, sector or international organization ensures an adequate level of protection for personal data to which the UK GDPR or DPA 2018 applies.
  23. "UK Data Protection Laws" means: (i) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (ii) the Data Protection Act 2018 (the "DPA 2018"); (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as it continues to have effect under section 2 of the European Union (Withdrawal) Act 2018 ("PECR"); and (iv) any other laws in force in the UK from time to time applicable (in whole or in part) to the Processing of Personal Data as such may be amended or superseded from time to time.
  24. "UK IDTA" means the International Data Protection Agreement adopted pursuant to or permitted under section 119A of the Data Protection Act 2018 effective March 17, 2022.
  25. "UK SCCs" means standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR.
  26. U.S. Data Protection Law” means those data protection or privacy laws and regulations within the United States, including, (i) the California Consumer Privacy Act (as amended) (the “CCPA”), including as modified by the California Privacy Rights Act of 2020 (the “CPRA”) together with any amending or replacement legislation, including the California Privacy Rights Act of 2020; (ii) the Virginia Consumer Data Protection Act of 2021; (iii) the Colorado Privacy Act of 2021 ("Colorado Privacy Act"); (iv) Connecticut Public Act No. 22‑15, “An Act Concerning Personal Data Privacy and Online Monitoring”; and (v) the Utah Consumer Privacy Act of 2022 and any regulations promulgated thereunder.

3. RELATIONSHIP OF THE PARTIES; PURPOSES; AND INSTRUCTION
3.1 Relationship of the Parties

  1. The purpose(s) of the processing of both the DPA and the Agreement are specified in Schedule A, to comply with the GDPR and the Applicable Privacy Law.
  2. The parties agree that in regard to the processing of Personal Data pursuant to an Agreement, that you may act either as a Data Controller or Data Processor, and GettyImages as a Data Processor.
  3. Each Party consents to the other Party using the names, phone numbers, business addresses, and e‑mail addresses of its employees (“Business Contact Information”) for contract and account management, payment processing, service offerings and such other purposes as set out in the using Party’s privacy notice (copies of which shall be made available upon request), subject to compliance with the applicable laws. For such purposes, and notwithstanding anything else set forth in this DPA with respect to Personal Data in general, each Party shall be considered an independent Data Controller with respect to the other Party’s Business Contact Information and shall be entitled to transfer such information to any country where such Party’s organization operates. Each Party warrants that it has authority to consent to the use of the Business Contact Information by the other Party.
3.2 Purpose(s) of the Processing of Personal Information

  1. The purpose(s) of the processing of both the DPA and the Agreement are specified in Schedule A, to comply with the GDPR and the Applicable Privacy Law.
  2. As established in Article 28 (3) GDPR, GettyImages shall process the Personal Data only on documented instructions from you and for no other purposes other than purpose(s) defined in Schedule A.
3.3 Instructions

  1. You represent and warrant that you have full authority to issue binding instructions and/or guidance to GettyImages regarding the nature, scope and procedure of the data processing. Instructions must be granted in a documented form (i.e., in writing, including via e‑mail).
  2. You hereby instruct and authorize GettyImages to Process the Personal Data provided to, or otherwise obtained by, GettyImages under the Agreement, for the sole and exclusive purpose of performing GettyImages’ obligations under the Agreement.
  3. You acknowledge that the primary function of the Services outlined in the Agreement is to facilitate content licensing by You, of images, photos, illustrations, vectors, and video clips in addition to AI‑generated content and related tools and services, and in some instances, depending on the Services you have subscribed to, may include the storage or processing of Personal Data. You acknowledge further that due to the nature of the Services provided, that GettyImages and its sub‑processors may not always be aware of whether Personal Data has in fact been stored in its systems, and do not regularly access data that you may have stored within the systems provided by GettyImages for the purposes of managing such content licenses.
  4. If GettyImages is required to disclose personal data to a law enforcement agency or pursuant to an order of a court or tribunal of competent jurisdiction, it shall inform you of that legal requirement before disclosing the Personal Data, unless applicable law prohibits such information on important grounds of public interest, or to support its legitimate interests in complying with laws of general application on the part of GettyImages.
  5. GettyImages may transfer personal data from EEA countries to any other countries with respect to which the European Commission has issued an adequacy decision, or from the United Kingdom to any other countries to which the United Kingdom has issued an adequacy decision. In the event that an adequacy decision is altered or annulled, GettyImages shall enter into the then current form of Standard Contractual Clauses (“SCCs”), as approved by the European Commission, or the current form of International Data Transfer Addendum (IDTA) approved by the United Kingdom.
  6. In the event that GettyImages transfers to other (non‑adequate) jurisdictions, including with respect to ܲ‑Pdzǰs, GettyImages shall enter into the current form of SCC or IDTA, with any relevant ܲ‑Pdzǰs. GettyImages’ transfers to non‑adequate jurisdictions shall be subject to the SCC and/or IDTA that are included as appendices to this DPA.
  7. You as the Data Controller expressly instruct and permit GettyImages to conduct product and service improvement activities that process Personal Data, in the aggregate or on a statistical basis, for internal and product improvement purposes.

4. YOUR OBLIGATIONS

4.1You shall in utilizing the Services of GettyImages:
  1. Apply data minimization principles in the collection, use or storage of such Personal Data in your use of the Services provided under the Agreement, that are actually required to utilize the required Services, acknowledging that data collection undertaken by GettyImages through these Services may be undertaken with a minimal set of personal data elements.
  2. Utilize secure methods for the transmission and sharing of Personal Data with GettyImages, appropriate to its sensitivity.
  3. Maintain and keep secure passwords and tokens utilized to access the Services of GettyImages; and
  4. Manage, using any tools or applications provided by GettyImages, your own retention of data, including secure disposal or deletion of such Personal Data.
  5. You represent and warrant that the Personal Data that you provide and/or give access to GettyImages is being processed lawfully in accordance with the laws and regulations applicable in which the Personal Data is derived, and/or to which you are subject.

5. DATA PROTECTION AND SECURITY OBLIGATIONS

5.1 GettyImages’ Obligations

GettyImages shall:

  1. Implement and maintain appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with Applicable Privacy Law. GettyImages’ technical and operational security measures are set out in Schedule B.
  2. Notify you through this site, of any material change in laws applicable to GettyImages that would prevent either of the parties from performing their obligations under this DPA in compliance with Applicable Law or that would require modifications or further actions.
  3. Ensure that Personal Data is only being collected, used and processed as required in Schedule A and in accordance with Your documented instructions as set forth in this DPA.
  4. Abstain from making duplicates of Personal Data unless required specifically by you or by Applicable Law, except as required to comply with business continuity and disaster recovery policies of GettyImages.
  5. Not disclose the Personal Data to third parties unless specifically permitted by the Agreement, the DPA, your written instructions, or as required or permitted by Applicable Law.
  6. Ensure that all authorized personnel with access to the Personal Data are legally bound by confidentiality obligations during and after the termination of the DPA, including after the termination of their employment.
  7. Train GettyImages’ employees involved in the processing of the Personal Data to comply with the Applicable Privacy Law and with the requirements established in this DPA.
  8. Provide access to Personal Data to GettyImages’ employees on a need‑to‑know basis only, and make sure that the employees are aware and compliant with the Agreement, the DPA, and the Applicable Privacy Law.
  9. Forward without undue delay any request sent to GettyImages directly from a Data Subject regarding their Personal Data to you as a Data Controller.
  10. Reasonably assist you, insofar as this is not possible using the tools and software available to you, to respond to any Data Subject’s request exercising their rights in accordance with Chapter III of the GDPR or other Applicable Privacy Law.
5.2 ܲ‑Pdzors

  1. The Approved ܲ‑Pdzǰs is included in Schedule C; you hereby consent to the use of the ܲ‑Pdzǰs set out therein. The link on the website and/or as set out in Schedule C may change if GettyImages updates its sites or client facing documentation in which case, we will post such notification on our site.
  2. The obligations and specifications included in the DPA will apply to the ܲ‑Pdzǰ when handling the Personal Data. This shall be explicitly agreed upon in a written agreement with the ܲ‑Pdzǰ.
  3. GettyImages will be liable for each ܲ‑Pdzǰs’ compliance with applicable obligations under this DPA and any acts or omissions of ܲ‑Pdzǰs that cause you to breach any of your obligations under Applicable Law, except to the extent that use of any ܲ‑Pdzǰ is subject to its own terms and conditions and privacy notice, in that the ܲ‑Pdzǰ may also be acting as a Data Controller.
5.3 Rights of Data Subjects

  1. GettyImages will reasonably assist you as Data Controller in fulfilling your obligations under Articles 12 (1) and (3) of the GDPR in order to facilitate the exercise of Data Subject rights under Articles 15 and 22 of the GDPR, or other equivalent individual rights available under Applicable Privacy Laws.
  2. GettyImages maintains certifications under the Data Privacy Frameworks governing EU, UK, and Swiss data transfers which supplement its obligations to protect personal information transferred to the United States as well as providing the dispute resolution provided in those Frameworks. See Section 11.
5.4 Responding to Data Subject Requests

  1. GettyImages shall transfer to you any request received from the Data Subjects without undue delay and will inform the Data Subjects that they can direct their requests directly to you.
  2. GettyImages shall only be obliged to support the response to requests relating to the processing that GettyImages is responsible for under its agreement with you and only to the extent that GettyImages has available such information that may assist such a request.
5.5Notifiable Data Breaches

  1. GettyImages shall notify you without undue delay of becoming aware of a Data Breach, and in any event within the periods of time applicable under Applicable Privacy Law. The notification shall include: (i) Description of the Data Breach, including, if possible, the categories of data and records concerned, the category and number of Data Subjects affected; (ii) Likely consequences of the Data Breach; (iii) Measures taken or proposed to address and/or mitigate the effects of the Data Breach; and (iv) Contact point where further information can be sought.
  2. GettyImages shall, without undue delay, take appropriate measures and follow its breach response protocol to address a Data Breach and protect Personal Data.
  3. Parties require the previous approval of the other Party to include and identify them in the breach notifications. Parties should not delay or withhold the approval without a reasonable cause.
5.6 Cooperation

  1. Upon written request, GettyImages shall assist you to comply with its obligations under the GDPR when related to the processing of the Personal Data, including but not limited to: (i) Data Breaches; (ii) Enquiries, complaints, audits, or claims from any court, government official, Data Protection Authority, third parties or individuals (including but not limited to the Data Subjects).
  2. GettyImages shall make available to you appropriate information reasonably necessary to comply with its obligations under the DPA and the Applicable Privacy Law.
  3. GettyImages will notify you of any requirements from an official authority without undue delay after receiving said enquiry, subject to section 9.

6. AUDIT RIGHTS

6.1GettyImages may make available through its site, additional documentation regarding its compliance of the DPA and Applicable Privacy Laws. Such documentation may be a current attestation, reports or expert reports from independent bodies (auditors, DPO, accountant), certifications from an IT security or data protection audit, a certification approved by the Data Protection Authority, or an executive summary of the foregoing.

6.2 You shall have no right to conduct any audit of GettyImages’ systems or processes for the purpose of assessing compliance with this DPA. However, in the event that GettyImages has obtained a certification recognized under GDPR or can provide a current attestation pursuant to an internationally recognized standard or an equivalent from an independent auditor, GettyImages will make this available through this site.

7. RETURN AND DELETION OF THE PERSONAL DATA

7.1 You have the ability to request deletion and removal of documents and information containing Personal Data via your GettyImages account representative, through your administrator account (as may be applicable) or by emailing privacy@gettyimages.com.

7.2For such information other than that GettyImages may be required or permitted to retain, in order to support the Agreement’s terms, or as required by Applicable Law, GettyImages will return or delete or remove the Personal Data upon termination of the DPA upon written request by you.

8. INTERNATIONAL DATA TRANSFER OBLIGATIONS; STANDARD CONTRACTUAL CLAUSES

8.1GettyImages may transfer personal data from EEA countries to any other countries with respect to which the European Commission has issued an adequacy decision, or from the United Kingdom to any other countries to which the United Kingdom has issued an adequacy decision. In the event that an adequacy decision is altered or annulled, GettyImages shall enter into the then current form of the SCCs, as approved by the European Commission, or the current form of International Data Transfer Addendum (IDTA) approved by the United Kingdom.

8.2 In the event that GettyImages transfers to other (non‑adequate) jurisdictions, including with respect to ܲ‑Pdzǰs, such transfers shall be pursuant to the SCCs and as further specified in Attachment 1 as relevant and as may be updated from time to time. Pursuant to foregoing, the SCCs are hereby incorporated into this DPA by reference. The parties shall enter into the current form of SCCs or IDTA, with any relevant ܲ‑Pdzǰs.

8.3 The parties agree to observe the terms of the SCCs without modification (save for any specifications that may be applicable) and the SCCs shall be considered to be duly executed by the parties immediately upon the date on which the Agreement enters into force.

8.4 The rights and obligations afforded by the SCCs will be exercised in accordance with the terms of the Agreement.

8.5 In the event that the SCCs are amended, replaced or otherwise invalidated by the European Commission, the UK Government or under the Applicable Privacy Laws, the parties shall work together in good faith to enter into any updated version of such SCCs or negotiate in good faith a solution to enable a transfer of the Personal Data to meet the requirements of the GDPR or other Applicable Privacy law.

8.6 GettyImages maintains certifications under the Data Privacy Frameworks governing EU, UK, and Swiss data transfers which supplement its obligations to protect personal information transferred to the United States as well as providing the dispute resolution provided in those Frameworks. See Section 11.

8.7 In addition, GettyImages has conducted a Transfer Impact Assessment (TIA) concerning the transfer of Personal Data from the European Economic Area (EEC) to North America. This assessment ensures that such data transfers comply with the requirements of the General Data Protection Regulation (GDPR) and maintain an equivalent level of data protection as provided within the EEA.


9. LAW ENFORCEMENT AND PUBLIC AUTHORITIES

9.1 If GettyImages is required to disclose personal data to a law enforcement agency or pursuant to an order of a court or tribunal of competent jurisdiction, it shall inform you as Data Controller of that legal requirement before disclosing the Personal Data, unless applicable law prohibits such disclosure.

9.2GettyImages relies on compliance with national laws as the basis for such lawful access disclosures, where such disclosure is made within the EEA, and on important grounds of public interest, or to support its legitimate interests in complying with laws of general application applicable to GettyImages, in jurisdictions outside the EEA where such disclosure obligations arise.

10. UK INTERNATIONAL DATA TRANSFER AGREEMENT (IDTA)

10.1The parties agree that the IDTA will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK IDTA, the UK IDTA will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
  1. In Table 1 of the UK IDTA, the parties’ details and key contact information is located in Section 1.5 of this DPA.
  2. In Table 2 of the UK IDTA, information about the version of the Approved EU SCCs, modules and selected clauses which this DPA is appended to is located in Attachment 1 (EU SCCs) of this DPA.
  3. In Table 3 of the UK International Data Transfer Agreement:
    1. The list of Parties shall be as set out in the Agreement.
    2. The description of the transfer is set forth in Schedules A.1, and A.2, of this DPA.
    3. Annex II is located in Schedule B (Technical and Organizational Security Measures)
    4. The list of sub‑processors is located in Schedule C of this DPA.
  4. In Table 4 of the UK IDTA, both the Importer and the Exporter may end the UK IDTA in accordance with the terms of the UK IDTA.
11. Data Privacy Framework Certification

11.1 GettyImages complies with DPF as set forth by the U.S. Department of Commerce. GettyImages has certified to the U.S. Department of Commerce that it adheres to the EU‑U.S. Data Privacy Framework Principles (“EU‑U.S. DPF Principles”) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU‑U.S. DPF and the UK Extension to the EU‑U.S. DPF. GettyImages has certified to the U.S. Department of Commerce that it adheres to the Swiss‑U.S. Data Privacy Framework Principles (“Swiss‑U.S. DPF Principles,” and together with the EU‑U.S. DPF Principles, the “DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss‑U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU‑U.S. DPF Principles and/or the Swiss‑U.S. DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit .

11.2 GettyImages will continue to comply with its commitments under its DPF , despite any challenges to it that may arise in relation to the validity of the DPF. Customers can continue to use GettyImages’ services in compliance with EU data privacy legislation. To the extent a transfer of EU customer data to the US is required for GettyImages to perform services for its EU customers, GettyImages has intracompany SCCs in place to validate the transfer. As the SCCs remain a valid method of transfer in the European Economic Area and the United Kingdom, customers can continue to rely on these SCCs as a compliant method to transfer customer data from the EU to the US.

11.3Your data may be shared with the following US‑based GettyImages affiliates: (a) GettyImages (Seattle), Inc.; (b) GettyImages (US), Inc.; (c) GettyImages News Services (PRC), Inc.; (d) GettyImages, Inc.; (e) iStockphoto LP; or (f) Unsplash Inc. GettyImages maintains its adherence to the DPF as set forth by the U.S. Department of Commerce. principles based on Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.

11.4 We are still subject to the investigatory and enforcement powers of the US Federal Trade Commission. If third‑party agents process personal data on our behalf in a manner inconsistent with the principles of the DPF, we remain liable unless we prove we are not responsible for the event giving rise to the damage. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern.

11.5 If you have any questions or complaints related to our data privacy processes, we encourage you to contact us as indicated at the bottom of this privacy statement. For any complaints that cannot be resolved with us directly, you may refer the matter to JAMS by going . JAMS provides an independent third‑party dispute resolution body based in the United States. JAMS is committed to responding to complaints and to providing appropriate recourse at no cost to you. We will cooperate with JAMS pursuant to the JAMS International Mediation Rules, which are accessible on the JAMS website at . Given that JAMS’ affiliated Regional Centre outside of the United States is based in the United Kingdom, the Information Commissioner’s Office (ICO) has jurisdiction for any cross‑border processing activity if you are located in the UK, or if you are resident in an EU country, you may contact the supervisory authority in your country under the GDPR. If neither GettyImages nor JAMS resolves your complaint, you may have the possibility to engage in binding arbitration through the Data Privacy Framework Panel or otherwise seek a resolution as set out in the SCCs. We are committed to protecting the privacy of our customers’ data. We will continue to monitor and evaluate new guidance as it emerges.

12. GENERAL TERMS
12.1Termination

You have the right to terminate this DPA (and by operation the Standard Contractual Clauses) by termination of the applicable Agreement, according to the terms of the Agreement.

12.2Return and Deletion of Personal Data

  1. You have the ability to request deletion and removal of documents and information containing Personal Data via your GettyImages account representative, through your administrator account (as may be applicable) or by emailing privacy@gettyimages.com.
  2. For such information other than that GettyImages may be required to retain, in order to support the Agreement’s terms, or as required by Applicable Law, GettyImages shall return or delete or remove the Personal Data upon written request from you at the termination of the DPA.
12.3Limitation of Liability; Exclusion of Certain Damages

IN NO EVENT WILL GETTY IMAGES BE LIABLE TO YOU OR YOUR END USERS, WHETHER UNDER CONTRACT, TORT, OR ANY OTHER THEORY OF LIABILITY, FOR (I) ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, INDIRECT, OR PUNITIVE DAMAGES FOR ANY CLAIM ARISING IN CONNECTION WITH THIS DPA, EVEN IF GETTY IMAGES HAS BEEN GIVEN ADVANCE NOTICE OF SUCH POSSIBLE DAMAGES; OR (II) ANY AMOUNT IN EXCESS OF FIVE THOUSAND DOLLARS ($5,000) FOR ANY CLAIM ARISING IN CONNECTION WITH THIS DPA.

12.4Order of Precedence

  1. This DPA shall be incorporated into and form part of the Agreement.
  2. In the event of any conflict or inconsistency between: (i) this DPA and the Agreement, this DPA shall prevail; or (ii) any Standard Contractual Clauses entered into pursuant to section 8 and this DPA, those Standard Contractual Clauses shall prevail.
12.5Miscellaneous

This DPA together with the Agreement comprise the entire agreement between GettyImages and you and supersedes all prior or contemporaneous negotiations, discussions, or agreements, whether written or oral, between the parties regarding the subject matter contained herein. Notwithstanding any language to the contrary therein, no terms or conditions stated in any other terms or other documentation (excluding the Agreement) shall be incorporated into or form any part of this DPA, and all such terms or conditions are null and void. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Laws and Applicable Privacy Law.

List of Attachments and Schedules
  • Attachment 1 – International Data Transfers and Description of Processing.
  • Schedule A.1: Customer Relationship Data
  • Schedule A.2: Enterprise Customer Data Processing
  • Schedule B: Technical, Organizational and Administrative Measures
  • Schedule C: Approved Third Party ܲ‑Pdzǰs
ATTACHMENT 1 – INTERNATIONAL DATA TRANSFERS AND DESCRIPTION OF PROCESSING
Part 1 – Modules and Options

The parties confirm that the following Module(s) from the EU SCCs shall apply as applicable with the following options to the international data transfer of Personal Data under this DPA:

Part A: Controller to Controller (C2) Transfers

1. Where the Data Importer is Processing as a Controller Personal Data protected under the EU GDPR outside the EEA in a territory or sector not at that time subject to an EU Adequacy Finding then, subject to clause 7 the EU SCCs will be deemed entered into (and incorporated into this Agreement by this reference) between the transferring Data Controller and that Data Importer in relation to that Personal Data and completed as follows:
  1. Module One will apply;
  2. in Clause 7, the optional docking Clause will not apply;
  3. in Clause 11, the optional language will not apply;
  4. in Clause 17 (Option 1), the EU SCCs will be governed by Ireland’s law;
  5. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
  6. in Annex I:
    1. Part A: with the information set out in Parties listed in the Agreement;
    2. Part B: with the relevant Processing Annex(es) set out in Schedules A.1 through A.2 to this DPA; and
    3. Part C: in accordance with the criteria set out in Clause 13(a) of the EU SCCs;
  7. Annex II: with Schedule B to this DPA.
Part B: Controller to Processor (C2P) Transfers

2. Where the Data Importer is Processing as a Processor Personal Data protected under the EU GDPR outside the EEA in a territory or sector not at that time subject to an EU Adequacy Finding then, subject to Clause 7 the EU SCCs will be deemed entered into (and incorporated into this DPA by this reference) between the transferring Data Controller and that Data Importer in relation to that Personal Data and completed as follows:
  1. Module Two will apply;
  2. in Clause 7, the optional docking Clause will not apply;
  3. in Clause 9, Option 2 will apply;
  4. in Clause 11, the optional language will not apply;
  5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Ireland;
  6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
  7. in Annex I:
    1. Part A: with the information set out in Parties listed in the Agreement;
    2. Part B: with the relevant Processing Annex(ures) set out in Schedule A.1 and A.2 to this DPA; and
    3. Part C: in accordance with the criteria set out in Clause 13(a) of the EU SCCs;
  8. Annex II: with Schedule B (Technical, Organizational and Administrative Measures); and
  9. Annex III: with Schedule C to this DPA.
Part C: Processor to Processor (P2P) Transfers
3. Where the Data Importer is Processing as a sub‑Processor Enterprise Customer Data protected under the EU GDPR outside the EEA in a territory not at that time subject to an EU Adequacy Finding then, subject to clause 7, the EU SCCs will be deemed entered into (and incorporated into this Agreement by this reference) between the transferring Data Controller and that Data Importer in relation to that Enterprise Customer Data and completed as follows:
  1. Module Three will apply;
  2. in Clause 7, the optional docking Clause will not apply;
  3. in Clause 9, Option 2 will apply;
  4. in Clause 11, the optional language will not apply;
  5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
  7. in Annex I:
    1. Part A: with the information set out in Parties listed in the Agreement;
    2. Part B: with the relevant Processing Schedules set out in Schedule A.1 to A.2 to this DPA; and
    3. Part C: in accordance with the criteria set out in Clause 13(a) of the EU SCCs;
  8. Annex II: with Schedule B to this DPA; and
  9. Annex III: with Schedule C to this DPA.
Part D: Processor to Controller (P2C) Transfers
4. Where the Data Importer is Processing as a Controller Transferred Data protected under the EU GDPR outside the EEA in a territory or sector not at that time subject to an EU Adequacy Finding then, subject to clause 7, the EU SCCs will be deemed entered into (and incorporated into this Agreement by this reference) between the transferring Data Controller and that Data Importer in relation to that Transferred Data and completed as follows:
  1. Module Four will apply;
  2. in Clause 7, the optional docking Clause will not apply;
  3. in Clause 11, the optional language will not apply;
  4. in Clause 17, the EU SCCs will be governed by Ireland’s law;
  5. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
  6. in Annex I:
    1. Part A: with the information set out in Parties listed in the Agreement; and
    2. Part B: with the relevant Schedule A.1 through A.2 to this DPA.
Part 2 – List of Parties

The Parties agree that this Part 2 ofAttachment 1 constitutes Annex I.A of the EU SCCs (where applicable).

Data Exporter(s):

Name:
Customer (as set out in the Agreement)
Address:
As provided for in the DPA and/or Agreement
Contact person’s name, position and contact details:
As provided for in the DPA and/or Agreement
Activities relevant to data transferred:
See Schedules A.1 and A.2
Role (controller/ processor):
Controller

Data Importer(s):
Name:
GettyImages (US), Inc.
Address:
As provided for in the DPA and/or Agreement
Contact person’s name, position and contact details:
As provided for in the DPA and/or Agreement
Activities relevant to data transferred:
See Schedules A.1 and A.2
Role (controller/ processor):
Controller and/or Processor
SCHEDULE A.1: CUSTOMER RELATIONSHIP DATA

This Processing Annex describes one of the categories of Customer Personal Data transferred by Data Controllers and the purposes for which that Customer Personal Data may be Processed by GettyImages as Data Importer.

Categories of data subjects whose personal data is transferred:
Customers – Employees of past, present and potential customers.
Categories of personal data transferred:
  • Personal details: Name; e‑mail address; phone number; office address.
  • Affiliated organisation: Name of employer, or associated organisation, job title and office address.
  • Payment related information; tax information
  • IT‑related data: IP addresses of visitors to the Data Importer’s websites and other digital properties, online navigation data, browser type, language preferences, pixel data, cookies data, web beacon data.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
GettyImages does not anticipate the collection of any sensitive data as a Controller or Processor with respect to consumer data.
The frequency of the transfer (e.g., whether the data is transferred on a one‑off or continuous basis):
Continuous.
Nature of the processing:
Customer relationship management.
Purpose(s) of the data transfer and further processing:
The management and administration of customer relationship and services including: providing products and services; services management; business development; marketing, advertising and public relations in connection with GettyImages company business activities, goods or services; licensing of still and moving images and online content; the conduct of GettyImages company's business activities; monitoring usage of the GettyImages services to ensure compliance with GettyImages policies and terms of use, service improvements and data analytics.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
For as long as the Data Controller and Data Importer are in a contractual relationship subject to an Agreement, subject to GettyImages retention policies, and business continuity/disaster recovery requirements.
For transfers to (sub‑) Processors, also specify subject matter, nature and duration of the processing:
Where the Data Importer engages Processors (or sub‑Processors) it will do so in compliance with the terms of the Standard Contractual Clauses. The subject matter, nature and duration of the Processing activities carried out by the Processor (or sub‑Processor) will not exceed the subject matter, nature and duration of the Processing activities as described in this Annex.
A list of approved sub‑Processors is provided in Schedule C.
SCHEDULE A.2: ENTERPRISE CUSTOMER DATA PROCESSING
This Annex describes the types of Enterprise Customer Data transferred by Data Controllers and the purposes for which that Enterprise Customer Data may be Processed by the Data Importers.

Categories of data subjects whose personal data is transferred:
Data subjects of which a GettyImages Customer is the Controller which will depend on the nature of the service and may include employees, consumers, or other individuals (whether current, past or potential).
Categories of personal data transferred:
This will depend on the particular service provided to the Customer but may include the following categories of data:

End users/customers of GettyImages

  • Personal details: Name, surname and contact details (e.g., business address, delivery address, phone number, email address fax number(s)).
  • Financial information: payment and bank account details.
  • Order data: purchasing, return and cancellation history; buyer preferences.
  • User behaviour for the purpose of analytics and providing personalised programs, apps, content and other products and services, including search terms and may include prompts and prompt history associated with a user ID. Note: (i) prompts used for generative AI must not include any personal data. (ii) No personal data associated with prompt information is shared with third parties.
  • IT information: User log and information from the products and services.
Employees of GettyImages Customers

  • Personal details: Name; Contact Information; Email Address; Company Name; Company Telephone; Contracts; Job Title
  • IT‑related data: computer ID, user ID and password, domain name, IP address, log files.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
GettyImages does not anticipate collection of special category data.
The frequency of the transfer (e.g., whether the data is transferred on a one‑off or continuous basis):
Continuous.
Nature of the processing:
  • Customer administration
  • Accounts Receivable administration
  • Accounts Payable administration
  • Marketing and Sales
  • Licensing and copyright administration
  • Compliance and legal
Purpose(s) of the data transfer and further processing:
End users/ GettyImages Enterprise Customers ‑ the management and administration of Customer use of and access to the services; the administration of orders and accounts; providing products and services, including online ordering, and billing; performance analysis including volume / frequency of orders; product management; business development; and the conduct of the Data Importer’s business activities.
Employees of GettyImages Enterprise Customers ‑ the management of employment‑related activities.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
For as long as (i) the Data Controller and Data Importer are both in a contractual relationship under an Agreement and (ii) the Data Processor provides services which requires the Processing of Enterprise Customer Data on behalf of Controllers.
For transfers to (sub‑) processors, also specify subject matter, nature and duration of the processing:
Where the Data Importer engages Processors (or sub‑Processors) it will do so in compliance with the terms of the Standard Contractual Clauses. The subject matter, nature and duration of the Processing activities carried out by the Processor (or sub‑Processor) will not exceed the subject matter, nature and duration of the Processing activities as described in this Annex.
A list of approved sub‑Processors is provided in Schedule C.
SCHEDULE B: TECHNICAL ORGANIZATIONAL AND ADMINISTRATIVE MEASURES

Control
Control Mechanism
Details
Design control
Data minimization
  • Customer can provide minimal data necessary for services to be provided.
  • Usage and analytics data is minimally collected and aggregated (e.g., trends), for internal analysis.
Data Access and Disclosure Control
Selected Encryption at Rest;
Encryption in Transit
Requirements‑driven definition of the authorization scheme and access rights
  • Data exchanged with Customer through Services is encrypted in transit.
  • Access to data at rest is restricted to only those with a business need.
  • Differentiated access rights (profiles, roles, transactions, and objects)
    • Read
    • Write
    • Delete
    • Reports Access
Monitoring
Logging
  • Centralized Logging/audit reporting is in place to record direct and indirect access to data. This includes OS‑level event logging and real‑time monitoring.
    • Access to data is restricted and logged. Logging includes events related to data creation, modification, and deletion. Logs contain details such as date/time, action, and identity associated with the action.
  • Data changes and associated access requests are logged.
Limit on sharing
Controller Access Controls
  • Specified contacts (administrators) within Customer are the only ones able to access or create its own accounts within GettyImages’ systems, including administration of Customer’s users
Limit on access
Processor Access Controls:
Acceptable Use Policy
  • Support staff access to data is limited.
  • Comprehensive logging of all access.
  • Acceptable Use Policy
  • Data Classification and Handling Standards
Limit on retention
Retention Policy
  • Retention is limited to period of time required by GettyImages to comply with legal obligations or business purpose of agreement, and only for data that is required to be collected.
  • Customer may request deletion of data through the Services provided by the Data Importer at any time, subject to GettyImages’ retention obligations.
  • Licensing of copyrighted materials may require retention to evidence appropriate licensing beyond term of agreement, for period of copyright lifetime.
Accountability
Code of Conduct
  • Code of Conduct requires employees to comply with Data Importer security and privacy policies and procedures.
Accountability
Data Flow
  • Data flow is documented and updated as changes are made to Services.
Accountability
Sub‑processor Contracts
Standard Contractual Clauses
  • Contracts in place with sub‑processors providing limits on use and access to data.
  • Standard Contractual Clauses used where appropriate.
Limit on sharing
Segregation Control
  • Client data is logically partitioned and logically secured within Services. Client data is only accessible by accounts that have been granted authorization.
Availability
Business Continuity
Administered by service provider or service provider’s sub processor:
  • Disaster recovery plan (tested regularly)
  • Backup procedures
  • Backups stored in a geographically diverse location
  • Data is replicated to a geographically diverse location
Access Control to Premises & Facilities
Security and surveillance systems
  • Access to company facilities requires authorization.
  • are provided by AWS.
  • AWS provides numerous and assessments to support effectiveness of their controls.
Access Control to Systems
Technical and organizational user controls
  • Access control to hosting facilities is managed by GettyImages’ sub‑processors, which undergoes numerous independent audits that confirm their practices are compliant with SOC procedures.
  • No Personal Data is stored at office facilities or on systems hosted on premises.
  • Personal Data is not stored on company workstations or on removable media.
  • Company laptops require whole disk encryption.
  • Password policies are defined (incl. special characters, minimum length, change of password).
  • Lockout is configured (e.g., password or timeout)
  • Anti‑malware and Endpoint Detection and Response (EDR) solution deployed to company systems.
  • Firewalls are enabled on company workstations and are in place at Internet ingress/egress points.


Schedule C: APPROVED THIRD PARTY SUB PROCESSORS

Name
Jurisdiction
Processing Activity
Amazon EMR
United States of America
Data platform
Amazon Web Services, Inc. (AWS)
United States of America
Cloud compute platform (IaaS, PaaS), storage and web service provisioning
Brandfolder, Inc.
United States of America
Services Partner
Checkout.com
United States of America
Payment processor
Concur
United States of America
Expense process management; Accounts Payable Automation for vendor invoices and travel and expense
Eloqua
United States of America
Email distribution and marketing automation platform
Google, Inc.
United States of America
Email and business tools, cloud platform services and analytics services
Kount
United States of America
Credit card fraud detection
Language I/O
United States of America
Real‑time chat translation service
Looker
United States of America
Business intelligence, data visualization and big data analytics platform
Lever
United States of America
Applicant tracking system for recruiting
Mastercard
United States of America
Website security risk scoring platform used to assess user behavior
MasterSAF
Brazil
Accounting/Tax Authority Service
Microsoft
United States of America
Email, business tools, and storage
Mimecast
United States of America
Email archive and security
New Voice Media US, Inc.
United States of America
Sales and Support call center and voice mail
OneTrust, LLC
United States of America
Cookie preference center
Oracle America Inc.
United States of America
Accounting and financial platform
Salesforce.com, Inc.
United States of America
Enterprise customer relationship management. Customer support ticketing/case management.
ServiceNow
United States of America
IT technical, service, and operations management platform
Slack, Inc.
United States of America
Instant messaging
Snowflake
United States of America
Cloud data warehouse and automation
Splunk, Inc.
United States of America
Log collection, archiving, and analysis
Survey Gizmo
United States of America
Survey platform
TaxOne
Brazil
Brazilian Tax platform
Thomson Reuters ONESOURCE Indirect Tax
United States of America
Tax calculation for customer orders/invoices
TyMetrix 360°
United States of America
Enterprise Legal Matter and CostManagement