Data Processing Agreement

Data Processing Agreement (DPA)

Last updated: October 7, 2025

This Data Processing Agreement (“Agreement” or “DPA”) forms an integral part of any contract or project agreement between Garac Business Group LLC, a company registered in Wyoming, USA (“Processor”, “we”, “our”, or “us”), and the client (“Controller”, “you”, or “your”) who engages our creative and production services.

This Agreement ensures compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the UK Data Protection Act 2018, and other applicable data protection laws.

1. Purpose and Scope

This DPA governs the processing of personal data by Garac Business Group LLC on behalf of the Controller for the sole purpose of providing creative, video production, and related services as described in the main contract or proposal.

We will process personal data only under your documented instructions and solely for the agreed purposes.

2. Definitions

For the purposes of this Agreement:

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.
  • “Controller” means the entity that determines the purposes and means of processing personal data.
  • “Processor” means the entity that processes personal data on behalf of the Controller.
  • “Sub-processor” means any third party engaged by the Processor to assist in processing activities.

3. Processor Obligations

Garac Business Group LLC agrees to:

  1. Process personal data only as instructed by the Controller and not for any other purpose.
  2. Ensure that all personnel authorized to process personal data are bound by confidentiality obligations.
  3. Implement appropriate technical and organizational measures to protect data against unauthorized access, loss, or alteration.
  4. Assist the Controller in ensuring compliance with GDPR obligations, including data breach notifications and data subject requests.
  5. Maintain records of all processing activities related to the Controller’s data.
  6. Delete or return all personal data to the Controller upon termination of the project or at the Controller’s written request.

4. Controller Obligations

The Controller is responsible for:

  1. Ensuring the lawful collection and transfer of personal data to the Processor.
  2. Providing clear, documented processing instructions.
  3. Informing data subjects (such as clients, models, or collaborators) about the processing and ensuring all required consents are obtained.
  4. Reviewing and approving any Sub-processors engaged by the Processor.

5. Categories of Data and Data Subjects

The types of data that may be processed include, but are not limited to:

  • Name, surname, and contact information (email, phone).
  • Visual or audio material (e.g., photos, videos) recorded during production.
  • Contract or payment information when applicable.

Categories of data subjects may include:

  • Clients, brand representatives, models, collaborators, or any other individuals appearing in creative content.

6. Sub-Processors

We may engage trusted third-party Sub-processors for hosting, storage, or data management (e.g., Google Workspace, Vimeo, Frame.io, or Adobe Cloud).
Each Sub-processor is bound by data protection terms no less strict than this Agreement.

A list of active Sub-processors is available upon request.

7. Data Transfers Outside the EEA

Since Garac Business Group LLC operates from the United States, personal data may be transferred and processed outside the European Economic Area (EEA).
Such transfers are protected using appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Security Measures

We maintain a robust security framework that includes:

  • Encrypted storage and secure file-sharing protocols.
  • Access control limited to authorized personnel.
  • Regular security updates and vulnerability monitoring.
  • Secure deletion and backup policies.

A detailed list of technical and organizational measures (TOMs) can be provided upon request.

9. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay after becoming aware of it, providing all relevant information to enable the Controller to meet its legal obligations under GDPR Articles 33 and 34.

10. Data Subject Rights

We will promptly assist the Controller in responding to any data subject request (access, correction, deletion, restriction, or portability) received directly or indirectly, within the legal timeframe set by applicable law.

11. Audit Rights

The Controller has the right to request reasonable information demonstrating our compliance with this DPA.
Audits or inspections must be:

  • Conducted during normal business hours,
  • With prior written notice of at least 14 days, and
  • Without disrupting normal business operations.

12. Duration and Termination

This DPA remains in effect for the duration of our contractual relationship.
Upon termination of services, Garac Business Group LLC will either delete or return all personal data, unless retention is required by law.

13. Liability

Each party’s liability arising from this DPA shall be subject to the same limitations and exclusions of liability as those agreed in the main service contract.

14. Governing Law and Jurisdiction

This DPA shall be governed by and construed under the laws of the State of Wyoming, USA, unless mandatory data protection laws of the EU or UK require otherwise.

Any disputes shall be resolved in the courts of Sheridan County, Wyoming.

15. Contact Information

If you have any questions regarding data protection, please contact our privacy team at:

Garac Business Group LLC
Email: [email protected]
Address: 30 N Gould St Ste R, Sheridan, WY 82801, USA