Sprout Studio is committed to treating all data received or transferred by or for our subscribers in compliance with the new EU GDPR rules.

Sprout Studio is a studio management software that acts on your behalf as a data processor. The Sprout subscriber is the data controller and as such the primary GDPR responsibility falls on you the subscriber in relation to your end client in the EU and UK.

Under new GDPR rules, you, the subscriber needs to clearly communicate in your own terms of service and privacy policy, that you use a third party processor (you do not need to name Sprout Studio).  For example on your website, you can post something like, “XYZ studios use an externally hosted third party to manage and administer your account.”

A copy of your client’s personal data is stored on secure servers through Sprout Studio’s third party providers. The providers are located in the USA and are certified under the EU-U.S. Privacy Shield Program.

Sprout Studios itself is based in Canada and as such we already have adequacy status, see article 45 of Regulation (EU) 2016/679 

Some tips for best practices

  • In your email signature, add a link to your terms of service and privacy policy
  • Have links to both your terms of service and privacy policy on your website home page
  • In regard to marketing to clients, when in doubt, get fresh consent. In other words, include an opt-in for clients to check a box if you want to market to them. Implied consent is no longer acceptable. Pre-ticked checkboxes are no longer allowed.
  • If a client opts in to receive an information pdf on your website or landing page by giving you an email address you may only send them information on what they asked for. Be sure to always include an option to unsubscribe or opt out on all communications to a client.
  • In your online contracts, add a checkbox for the client to expressly give you consent to use their photos/images for your studio marketing and promotion and list anywhere you will want to use those images.  (this checkbox feature already exists in Sprout)
  • Keeping your client’s data. You can retain client information while you are providing services to them and then for a reasonable period after that. (contract limitation is six years)
  • On your own website install a cookie banner (see Wordpress GDPR Plugins or Squarespace Cookie Banner)

This information is not meant to be construed as legal advice. Always consult your own lawyer.

For a more in-depth article on how the GDPR will affect photographers, please check out this video!

For more information, check out Sprout’s Privacy Policy and Terms of Service

Did this answer your question?