Data Privacy Impact Assessment (DPIA)

Data Privacy Impact Assessment (DPIA) ConvoPhoto

  1. Project / Solution Description
    ConvoPhoto is a Canada-based event photography service and application that captures photographs
    at events, provides secure online galleries for viewing, and enables individuals to purchase
    photographic products. The solution operates exclusively within Canada and does not integrate with
    institutional academic systems.
  2. Purpose of Processing
    Personal information is processed solely to capture and deliver event photography, provide controlled
    access to private photo galleries, process photo orders and fulfillment, and communicate with
    individuals regarding orders or support inquiries.
  3. Categories of Personal Data
    Photographic images of individuals, names, email addresses, and order-related metadata. No
    academic records, government identifiers, health information, biometric identifiers, or financial account
    numbers are processed.
  4. Data Subjects
    Event participants, individuals accessing private galleries, and customers purchasing photographic
    products.
  5. Data Flow Overview
    Images are captured, securely stored, made available through controlled access galleries, and retained
    only as long as necessary. No institutional datasets are combined with personal data.
  6. Geographic Scope and Transfers
    All data collection, processing, and storage occurs in Canada. No international data transfers occur.
  7. Lawful Basis and Compliance
    Processing is based on consent and legitimate business purposes in accordance with Canadian
    privacy legislation.
  8. Privacy Risks Identified
    Risks include unauthorized access, over-retention of data, accidental disclosure through third parties,
    and incident response failures.
  9. Risk Mitigation Measures
    Mitigations include access controls, data minimization, limited retention, contractual third-party
    obligations, and documented incident response procedures.
  10. Residual Risk Assessment
    After mitigation, residual privacy risk is assessed as low.
  11. Stakeholder Impact
    No automated decision-making or significant effects on individuals are present.
  12. DPIA Outcome and Approval
    Privacy risks are acceptable and appropriately managed for the scope of the service.
  13. Review and Maintenance
    This DPIA will be reviewed and updated if material changes occur.
  14. Contact
    ConvoPhoto Privacy Contact Email: support@convophoto.ca
Scroll to Top