I (Helen Andrews) am the data controller here at H Andrews Photography.
I collect your name and the names of other people in your photo shoot (sometimes just the stars of the show- such as a wedding) sometimes everyone I'll be working with- like a newborn shoot, because it's much nicer to have a name to put with a face and it helps organise files too.
Contact details, email address, phone number, physical address so I can find your house (essential for a mobile photographer that works in your home)
All this information is a must for doing my job so I can get in touch if I can't find your house, send you gallery links to view your photos, arrange shoot times and all the other little essentials.
Where I get your data from:
I get all the main information from the person booking the photo shoot, so sometimes they tell me the names of other people in the shoot, but I don't sign up to any systems that offer lead generation so I get your data from you to do my job with.
I do have cookies, though I prefer biscuits,.. biscuits go better with the coffee that helps me work in to the small hours (also explains my expanding waist line) Though in all seriousness I don't garner any identifiable information from these. Just an idea of how people are interacting with the website in general.
What I do with your data
I keep it nice and safe, and use it for getting to your house, messaging you when your photos are ready and once again all the reasons you would expect really.
I don't do marketing emails, nor do I pass on your information to third parties except those absolutely needed in order to provide your service (or where the law requires- so tax purposes really)
I may pass on some minimal information when using a second shooter or assistant for a shoot- the location of the photo shoot which is often a home or wedding venue and contact phone numbers- handy if we need to find you on the day and get lost.
I will give your home address to royal mail, and your name too, but only where needed to deliver parcels of lovely photos.
Your face based data (images) will be processed by our print labs, who again will look after that too and on occasion may be sent to the framers temporarily to be prepared for delivery.
And I won't send your data on to anyone else unless your services or the law requires it. We have a Data Protection regime in place to oversee the effective and secure processing of your personal data.
And any staff that do operate systems or have access to messages or information will be trained to be GDPR compliant and won't be doing anything naughty with your information either.
I do love to share though- Photos and where you permit tagging of images/ naming of the family members, a natter about the day we shared. Only ever with your permission. But it is lovely to share photos and stories on social media and really does help me massively if I get permission to do so as it helps other people understand my services better.
I do also produce business cards, sometimes fliers, photo display albums and prints.. these are all opt in only options, so I only ever do these things where you have expressly given permission.
How long we keep your data
I keep minimal personal data for taxation purposes this will be kept in long term storage for 6 years.
I keep your order forms, consent forms and information used for cross referencing images and order dates indefinitely - this is so I can find your images if you ever need a replacement for any reason, or if you decide you want to re-order.
I keep your ordered images for an indefinite amount of time, though we aim for a minimum of two years from the order date, this is so that we can effectively back up your images just in case though we can not guarentee any amount of time. Where images have not been purchased/ ordered within one month of the viewing date they will be deleted*. *This will come in to place on all new orders from the 26th of October 2018.
Where a product order has been placed but payment not recieved I will retain your images for a maximum of 3 months.
I currently do not operate a marketing system so your information will not be used to contact you with marketing emails or telephone calls regarding special offers of future discounts, these will be advertised on our social media or on the website.
For wedding photography we retain all the best images from the day indefinitely. Occasionally digital files can become corrupt so we do not offer any guarentee that any or all stored images will remain available.
Online payment is taken through paypal, so sometimes in order to invoice you I will provide their systems with your email, other times you are dealing directly with them.
Where you request an update for future bookings we will keep basic info to continue provision of services as per your instructions.
If you E-Mail me or send me messages via social media, or fill in one of our contact forms these messages are stored within our e-mail system or social media accounts or our website this information will only be used to converse about your request and or services thereafter.
Booking, order and contract forms are retained currently indefinitely in order to ensure we have cross reference with any placed orders on our system as on some occasions photo shoots and orders can take place for several years in some cases after the contract has been signed.
Model contracts are retained indefinitely as they are in reference to images where consent has been expressly given to use images for advertising purposes in an ongoing situation.
Shared images on websites, social media and publications will again be stored indefinitely as I like to re-share them, but they are only those I have permission to share.
What are your rights?
You have the right to be forgotten. At any point after your contact with us you may request all your information to be removed from our files. And we will ensure we do this wherever the law allows- please note we are required to retain details of payments for accounting purposes for 6 years.
You can request we remove any images from our systems or website/ social media at any point and we will do so as soon as possible once the request has been received and confirmed.
You have the right to access your data.
Find out what we hold on you personally,. though that should be what you have provided me really, so you will already know.
I'm not a credit check company with loads of info from a million different places, I just know the things I need to do my job.
You have the right to be forgotten- for all your data that we are not required to keep by law to be erased from our systems at any point.
You have the right to data portability- to have your data transferred to another provider- though it would be difficult to process orders or provide a service without your informaiton.
You have the right to be informed- this means we tell you what we do with your information. And that any consent is given clearly by you.
You have the right to restricted processing- limiting what I do with your information, but again not doing marketing emails or selling your data on to people means I only process your information to do my job, and I can't really do that if I can't process your information.
Right to be notified- if there has been a data breach that compromises an individuals data then I will notify you within 72 hours of becoming aware of the breach.
You have the right to object. - This is more for processing informaiton for marketing purposes which is something we don't operate. You have the right not to be subject to automated decision making (which is something we do not operate) But if I were to start doing things outside of the essential to provide you the service and you objected I would stop.
If at any point you believe the information we process on you is incorrect you can request to see this information and have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact Helen at firstname.lastname@example.org who will investigate the matter.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the Information Commissioner’s Office (ICO).
So that should cover everything but if you have any questions at all get in touch.
Version 1:2 12/12/2018