PRIVACY POLICY
INTRODUCTION
At Ian Wallis Photography I take data security very seriously. I recognise the importance of ensuring that personal data is only collected when it is completely necessary, and that it is processed only when I have legal basis to do so. I continuously monitor my procedures to ensure that the environments in which any data is stored are protected adequately to industry-recognised standards.
As a valued customer it is my responsibility to process any data you provide for me, or that I collect on your behalf, in a secure environment, and – if necessary - I only use staff who are specifically trained as to the sensitivity of the data that passes before them in the course of their employment.
Under the General Data Protection Regulation (UK GDPR in the UK and EU GDPR in the EEA (European Economic Area)), I have responsibilities defined for me which I accept and fulfil. In the case of data provided by you while placing an order, I am the data controller, which means that I will make decisions as to how I process your data in order to fulfil your order. Subsequently, I may contact you to give you the opportunity to make purchases of other photographs I may have captured of you or your child, and you can choose to unsubscribe from such further contact at any time.
My Privacy Policy is designed to reassure website users, subscribers and all customers who make purchases through the website, that I will only process your data when is necessary, and even then,within secure physical and electronic environments. In addition to that, the GDPR (UK GDPR in the United Kingdom, EU GDPR in the EEA (European Economic Area)) gives you certain rights, one of which is The Right to be Informed. In line with this right, this Privacy Notice will inform you of the following:
The Information that I Gather
Disclosure and Transfer of Personal Information
Sources and Legal Bases for Processing of Personal Data
Retention and Deletion of Personal Data
Your Rights
How to Contact Me
I review my privacy practices from time to time, in line with suggested Information Commissioner’s Office (ICO) guidelines. To contact me about privacy issues relating to my website, to report a violation of my Privacy Policy, or to raise any other issue, please e-mail me at ianwallisphotography@me.com.
THE INFORMATION I GATHER
I gather two types of information about users:
Use of the Information:
Your contact details and other data you may supply as part of the registration process are stored and processed by me to enable you to access the services on my website and to provide you with the goods you have purchased or the information you have requested.
If you have provided an address when purchasing goods, my website may automatically fill in that information on a subsequent order form for your purchase of goods. This is simply a convenience - no information is released to anyone unless you authorise its release, such as by clicking a "Submit" button.
I may pass your contact details only on to a chosen delivery company, for the sole purpose of delivering your order and informing/updating you on the delivery progress of your order, if needed.
I will hold your personal information for as long as is necessary to provide excellent service to you in respect of the product you purchase. This is of particular importance where similar products are purchased over a number of years and if a customer wishes to check the make-up and detail of previous orders.
DISCLOSURE AND TRANSFER OF PERSONAL INFORMATION
I do not sell, trade or lease the personal information you entrust to us.
The data I control is always kept within the British Isles. Data is never transferred outside of geographical Europe.
I use the appropriate security methods to protect the data that resides on any servers that I may have. However, no security system is impenetrable. I cannot guarantee the security of any servers that I use, nor can I guarantee that information that users supply will not be intercepted while being transmitted to me over the internet.
I may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which I am subject, or in order to protect your vital interests or the vital interests of another person.
SOURCES AND LEGAL BASES FOR PROCESSING OF PERSONAL DATA
Under the GDPR (UK GDPR (United Kingdom General Data Protection Regulation) in the United Kingdom, EU GDPR (European Union General Data Protection Regulation) in the European Economic Area (EEA)) I am required to provide you with certain information relating to the data I process. These are as follows:
The general categories of personal data that I may process.
In the case of personal data that I did not obtain directly from you, the source and specific categories of that data.
The purposes for which I may process personal data.
The legal basis of the processing.
When you register an online account with me, such as when you place an order through the website, I may ask you for your contact details, including your name, address, telephone number and email address. I may process this data to allow essential functions to include communication with you, ensuring data security, and completing your order(s). There are several legal bases for these activities, such as fulfilment of my contract with you, and conducting my legitimate business interest of ensuring good customer service.
I may process data about your use of my website and services, and this may include pages you visit, links you follow and ordering data. This usage data may be processed to analyse the use of the website and services. This is in order to make improvements and is made available to me through my web-analytics reporting system via a company called Online Picture Proof, who host and maintain my website. The legal basis for this processing is my legitimate business interest of making my website as efficient and effective as possible.
I may process information that you provide to me to send you email notifications and/or newsletters, or to send you special offer emails. The legal basis for this processing is legitimate business interest of generating sales through the website.
Subject data is provided by a school, college or organisation with whom I potentially have a data protection agreement (DPA) – if a DPA is deemed necessary. This data is limited only to that which is required in order to sufficiently identify who is contained in the photographs; such as full name, classidentification, admission number and academic or boarding house information, and any other information that may be required. Processing is performed in order to provide the services that the school or organisation have engaged me to perform. The processing is carried out in line with anycontractual obligations with a school, under the terms of any DPA that may be in place. This is performed even if I do not have a DPA in place with the establishment with whom I am working.
I capture and process photographs (deemed to be personal data under the GDPR (UK GDPR in the United Kingdom, EU GDPR in the EEA (European Economic Area))) as my central and core service. The photograph data is processed to provide the service I have been contracted to complete. I amengaged to capture the photographs on behalf of the school or organisation, so they need to have a lawful basis for the processing. The school or organisation is also responsible to make sure that no one is presented for photography whose preference is that they are not included. Under the GDPR this preference can be expressed by the parent or guardian and/or the person themselves if they are 12 or over. All processing carried out by Ian Wallis Photography as controllers or joint controllers to make the images available for sale to parents, pupils and/or subjects is based on legitimate interest.
In addition to the specific information related to processing noted above, I may retain your personal data where such retention is necessary for compliance with a legal obligation to which I am subject, or in order to protect your vital interests or the vital interests of another person.
RETENTION AND DELETION OF PERSONAL DATA
The GDPR (UK GDPR (United Kingdom General Data Protection Regulation) in the United Kingdom, EU GDPR (European Union General Data Protection Regulation) in the European Economic Area (EEA)) requires me to maintain a company policy in relation to how long I keep various categories of personal data.
Personal data is kept for no longer than it is needed in order to serve the purpose for which it was collected.
I do not store credit card information on my systems.
A summary of the length of time I retain different types of information is as follows:
Photographs: These are the intellectual property of the company, and copyright on such work lasts for 75 years. I will, therefore, retain photographs for 75 years. After this point images are reviewed for longer preservation, to assess their historical relevance. If they are likely to become valuable historically, they are added to an archive.
Order Data: This is kept for 40 years in order to be able to inform you whether or not you have previously ordered a particular photograph or photographs.
Identification Data (Name, Admission Number and/or Class - provided by the school or college): This is kept electronically alongside portraits, and is kept in a secure database - only accessible by authorised users - for 75 years in line with copyright, and to ensure that these are made available only to the subject, or to close relatives of the subject.
In addition to the specific information related to retention and deletion noted above, I may retain your personal data where such retention is necessary for compliance with a legal obligation to which I am subject, or in order to protect your vital interests or the vital interests of another person.
YOUR RIGHTS
The GDPR (UK GDPR (United Kingdom General Data Protection Regulation) in the United Kingdom, EU GDPR (European Union General Data Protection Regulation) in the European Economic Area (EEA)) defines certain rights that you as a data subject may exercise in relation to your personal data.
In summary, these rights are as follows:
The Right of Access
The Right to Rectification
The Right to Erasure
The Right to Restrict Processing
The Right to Data Portability
The Right to Object
Rights in Relation to Automated Decision Making and Profiling.
Some of the details of terms listed above are explained as follows. As some of these terms are complex, this should not be seen as a full explanation, and I certainly recommend that you read information presented by the regulatory bodies for further details.
The Right of Access
You have the right to request copy of the personal data I hold, plus supplementary information, such as whether I am processing your data, along with the reasons. In most cases, as long as the rights of a third party aren't compromised, I will comply with your request within a calendar month.
For clarity, I only hold data necessary to record what you have ordered, to make sure the order gets to you at the correct address, and to contact you about your order, and about potential future orders. I don't collect or store any data which isn't needed for these purposes.
The Right to Rectification
If any data I hold is incorrect, you have a right to request that this is corrected for you.
The Right to Erasure
If you no longer wish me to store or process your personal data, you have a right to request that any data I hold is erased or deleted. If you contact me to request a Right to Erasure, I will comply where possible, but there are exceptions, or exclusions to this right. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims. It may also be that the legitimate business interests of the company would be threatened by the erasure. For these reasons, the company has the right to reject a request under the Right to Erasure, but I will always explain to you clearly why the decision was taken, and what you can do next.
The Right to Restrict Processing
You may have a reason to request that I do not process your data for a specific period of time. Legal bases for this could be:
As an alternative to the Right to Erasure, you may wish to request that I do not process your data for a specific period of time. You can make this request under your Right to Restrict Processing.
There are several legal exemptions to the Right to Restrict Processing: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another person; or for reasons of important public interest. It may also be that the legitimate business interests of the company would be threatened by the restriction. For these reasons, the company has the right to reject a request under the Right to Restrict Processing, but I will always explain to you clearly why the decision was taken, and what you can do next.
The Right to Object
You have the right to object to my processing of your data in relation to marketing. If you object, I will cease to contact you for this reason from the date of your request.
You also have a right to object to my processing of your personal data on grounds relating to your particular situation, but the processing may be necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by me or by a third party. If you exercise your Right to Object, I will cease to process the personal information unless there are legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. It may also be that the legitimate business interests of the company would be threatened by the objection. For these reasons, The Company has the right to reject a request under the Right to Restrict Processing, but I will always explain to you clearly why the decision was taken, and what you can do next.
Rights in Relation to Automated Decision Making and Profiling.
To the extent that the legal basis for my processing of your personal data is: (a) consent; or (b) that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, and such processing is carried out by automated means, you have the right to receive your personal data from me in a structured, commonly used and machine-readable format.
If you consider that my processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state where you normally live, your workplace or the place of the alleged infringement.
If the lawful basis for processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal of consent cannot be backdated from the actual date of receipt.
HOW TO CONTACT ME
If you wish to exercise any of your rights in relation to the data I hold about you, you may do this in writing.
You may also ask me any questions about this privacy statement.
You may email me at ianwallisphotography@me.com.
If you would prefer to contact me by post, please write to:
c/o Data Protection Officer
Ian Wallis Photography
2 Advent Way
Manchester
M4 7LL
The address above is also my business address, where I conduct my business securely and safely, as Ian Wallis Photography.
If you wish to view my ICO Data Protection Registration Certificate, then please visit the below webpage and search for Ian Wallis Photography:
https://ico.org.uk/ESDWebPages/Search
I can also email you a copy of the certificate, should you require this.
And finally, you can telephone the designated Data Protection Officer for Ian Wallis Photography on 07793009918 (name, Mr Nicholas Markley) for any advice and information regarding GDPR relating to Ian Wallis Photography.