We totally respect your personal information and will only ask you for what information we need. We will look after your data in the same way as we would want our own to be looked after and will keep it secure.
We need your personal information to be able to deliver our service to you, to personalise your experience, for marketing, to send promotions to you and for self-assessment record keeping for HMRC.
We will only share it with others where we need their help to deliver our services to you. Please be assured that we will only share your information for the circumstances contained within this policy. We will never sell your personal information.
1. THE DATA WE COLLECT
Gemerations Photography is the data controller and we collect a variety of data in order to deliver our services to you, and we will manage your personal data transparently, fairly and securely.
We will ask you to provide us with the following data, in order for us to be able to provide all of our photographic services to you:
· Full name of parent / adult
· Full address / postcode
· Email address
· Telephone number (Landline / Mobile)
· Full name of child
· Child’s date of birth
· Child’s age
· Child’s Medical Conditions/Health Issues/Allergies
We want you to be fully clear on the data we collect, so the Data Mapping table below highlights the following:
· The type of data we collect
· How and where we obtain this data
· Why we need to collect this data
· Who we will share this data with
· Where these third parties are based who we share data with
· Why the data needs to be shared with these third parties
· How long we keep the different types of data and why we need to keep it
Below is a table that shows how we manage your personal data:
The Data Mapping chart below shows how we manage your personal data
Being a photographic business, we create and manage images as per our contractual agreement(s) with our customers.
We use the above Data Map to ensure we meet the GDPR legal requirements. We ensure we seek your consent to use and store your data, this is done via our website, model release form and our paper consent form. We collect this data on a lawful basis to enable us to perform our contractual obligations to you, to deliver the service you have booked and paid for.
Cookies are small pieces of data that websites send to a user's computer and are stored on the user's web browser. They are designed to enable the website to remember information, for example what a user might have put in a shopping cart. When you visit our website on Wix there will be a pop menu regarding cookies where you can choose to accept or reject to these being stored by the website. Cookies helps us to provide a better experience to you when visiting our website. Customers are advised that if they wish to deny the use and saving of cookies from these websites on to their computer’s hard drive they should take necessary steps within their own web browsers security settings to block all cookies from this website and its external serving vendors or use the cookie control system if available upon their first visit.
2. WHICH THIRD PARTIES DO WE SHARE YOUR PERSONAL DATA WITH?
We share personal data with the following third parties:
· MailChimp (Newsletter provider)
Here data is transferred outside of the European Economic Area to the United States under the protection of EU/US Privacy Shield.
· Wix (Website Provider)
They are certified under the EU-US Privacy Shield Framework and the Swiss-US privacy Shield Framework as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, and therefore adheres to the Privacy Shield Principles.
· HMRC (Business Accounts)
They will, in some circumstances and where the law allows, share your data with third parties within the UK. They require third parties to respect the security of your data and to treat it in accordance with the law.
· 123 Reg (Email Provider)
Here email data is stored in their Leeds data centre. They use use international web partners to filter emails for spam and viruses, but these partners do not store any email content. Data is not transferred outside of the European Economic Area.
We share some personal information such as photographs, name of children, age of child via Social Media Platforms, if signed consent has been given.
They share information globally, both internally within the Facebook Companies and externally with our partners and with those you connect and share with around the world in accordance with this Policy. Information controlled by Facebook Ireland will be transferred or transmitted to, or stored and processed in, the United States or other countries outside where you live for the purposes as described in this Policy. These data transfers are necessary to provide the services set forth in the Facebook Terms and Instagram Terms, and to globally operate and provide our Products to you. We utilise standard contractual clauses approved by the European Commission and rely on the European Commission's adequacy decisions about certain countries, as applicable, for data transfers from the EEA to the United States and other countries.
We share personal information in the form of photographs on Online Business Directories (Google My Business, Yell.com, 192.com, Thompson Local, Bing Places for Business. Find the Best Photographer), this will be done if signed consent has been given.
· Google My Business
They continue to offer a range of international data-transfer mechanisms and are certified under EU/U.S. and Swiss-U.S. Privacy Shield frameworks, which are a legal mechanism to enable the transfer of personal data from the EEA and Switzerland to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law. They also offer EU-approved Model Contract Clauses for some services.
They may sharepersonal data they collect outside the European Economic Area (“EEA”) and such destinations may not have laws which protect your personal data to the same extent as in the EEA. They are required by data protection law to ensure that where we or our “processors” transfer your personal data outside the EEA, it is treated securely and is protected against unauthorised access, loss or destruction and unlawful processing.
Except as specifically set out in this policy, 192.com does not disclose Your Personal Data to any other person or organization except that it may disclose Personal Data to 192.com employees and companies acting as data processors on 192.com's behalf. Data processors acting on 192.com's behalf may only use the information in line with 192.com's instructions. In addition 192.com may disclose Personal Information if required to do so by law or in the good faith that such disclosure is necessary to: (i) comply with legal process or assist law enforcement agencies including the Police and the Information Commissioner's Office; (ii) respond to claims of a violation of the rights of third parties; or (iii) protect the rights, property or safety of 192.com, its users, or the public.
· Thompson Local
The data that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom and the European Economic Area (“EEA”). It may also be processed by staff operating outside the UK or the EEA who work for us or for one of our suppliers. We will take all steps reasonably necessary to ensure that any personal data transferred outside the UK or the EEA is treated securely and in accordance with the applicable data protection laws. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
· Bing Places for Business
They share your personal data with your consent or to complete any transaction or provide any product you have requested or authorized. We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; and to protect the rights and property of Microsoft and its customers.
· Find The Best Photographer
In general, any information you provide to Baby And Newborn Photography Association (BANPAS) will only be used by Baby And Newborn Photography Association (BANPAS) . It will never be supplied to anyone outside of Baby And Newborn Photography Association (BANPAS) without first obtaining your consent, unless we are obliged or required by law to disclose it. We will hold your personal information on our systems for as long as you remain a client. We will ensure that all personal information supplied is held securely, in accordance with the Data Protection Act 1998.
Sharing without consent
There are also certain situations in which we may share access to your personal data without your explicit consent; for example, if required by law, to protect the life of an individual, or to comply with any valid legal process, government request, rule or regulation.
The NHS Test and Trace Service under Covid-19
Test and Trace is the NHS service which helps track down anybody who has been in close contact with someone who has tested positive for Coronavirus. An exception to the privacy of your personal details is that Gemerations Photography must comply with the NHS Test & Trace Service. In the event that your photographer develops Coronavirus Symptoms and subsequently tests positive for COVID-19 and you have recently attended the studio for your portrait session, your name, address, telephone number and email address will be passed to the NHS Test & Trace service immediately. If you want to know more about the Test & Trace service you can find out more here https://www.gov.uk/guidance/nhs-test-and-trace-how-it-works
3. WHY DO WE SHARE YOUR PERSONAL DATA WITH THE ABOVE?
We share your personal information to be able to deliver our service to you, to personalise your experience, for marketing, to send promotions to you and for self-assessment record keeping for HMRC.
Please refer to the Data Mapping Chart (in section 1) to see why we are sharing certain types of your Personal Data. We may transfer personal data to a country outside of the European Economic Area (EEA) if necessary e.g. if a third party we utilise could have servers located outside of the EEA. If this is the case, we will either obtain your consent or otherwise ensure that the transfer is legal, and your data is secure by following the EU's guidelines. You can see above where we send data outside of the EEA and on what basis we do so.
4. HOW DO WE KEEP YOUR PERSONAL DATA SECURE?
We keep all your data secure. In regard to paper records these are stored in a locked filing cabinet. The key is not left in the same location as the filing cabinet and is stored in a separate location after working hours. The computer is password protected and is on lock screen when not in use. Portable devices such as USB’s and Hard drive storage are encrypted to protect your data. No photos are stored directly onto the computer. The tablet and mobile have passwords and finger print recognition access. The studio building itself has security measures in place to stop access to the building, including CCTV inside and outside, along with motion sensors and alarms inside.
The external providers we use are also GDPR complaint and will keep your data secure:
Wix is our website providers, who are GDPR complaint
123 Reg is our email provider and is GDPR complaint:
Google My Business
Bing Places for Business
Find the Best Photographer
In the unlikely event of a criminal breach of our security we will inform the relevant regulatory body within 72 hours and, if your personal data were involved in the breach, we will also inform you.
6. HOW LONG WE KEEP DATA
While we do not hold personal data any longer than we need to. The duration will depend on your relationship with us, and whether it is ongoing. We will hold your personal data for 7 years after our working contract with you has finished for tax legislation purposes, which is needed for the business’s self-assessment record keeping. This will include all data except photographs. Photographs are Gemerations Photography’s assets, and as such we have a legitimate interest to retain our own work and Copyright Legislation supports this fact, so we can keep these photographs indefinitely, should we choose to. This is also beneficial for customers, should they ever need replacement images. There will be a hard drive for each year to store these and archive them on.
7. YOUR RIGHTS
You have the following rights under the 2018 General Data Protection Regulation (GDPR)-
· the right to be informed about the collection and use of your personal data
· the right of access to your personal data and any supplementary information
· the right to have any errors in your personal data rectified
· the right to have your personal data erased
· the right to block or suppressing the processing of your personal data
· the right to move, copy or transfer your personal data from one IT environment to another
· the right to object to processing of your personal data in certain circumstances, and
· rights related to automated decision-making (i.e. where no humans are involved) and profiling (i.e. where certain personal data is processed to evaluate an individual).
· You have the right to manage your data at any time. Managing your personal data includes (correcting any errors in your data, asking to view your data, and asking for it to be deleted).
If you wish to make a request to manage your personal data, this needs to be expressed via letter, marked for the attention of Gemma Hampton. Requests will be acknowledged within 7 working days, highlighting the course of action to be taken.
8. MAILING LISTS
By placing a booking you will be asked to provide an email address. There will be a consent box, asking whether you consent to being signed up to Gemerations Photography mailing list. The mailing list is beneficial for customers because it will have priority booking access to mini photoshoots, special discount code for existing customers and a newsletter.
Date of Policy-20/09/2018
Next review date-28/06/2021