Alison Armstrong Photography – Privacy & Data Protection Policy 2018
This policy is for the website – www.alisonarmstrongphotography.com . The company Alison Armstrong Photography sets out the ways we seek to comply fully with the General Data Protection Regulation – known herein as GDPR and the Data Protection Act (pre-GDPR) and the Privacy and Electronic Communications Regulations (PECR).
This policy seeks to explain how this company collects, holds and uses personal data. If you have any questions or require any further information please do not hesitate to contact us to ask for clarification.
What personal data does the business collect/hold?
- Your name, date of birth, email address and wedding date is collected for those clients who complete the contact form on the website.
- name, date of birth, email address, phone number and postal address is collected on your booking form.
- Under GDPR – photographic images are classed as data. During your wedding day or portrait shoot the images taken of you are data which is collected by the photographer. This includes images of you and your guests.
- The processed images following the editing stage as persons can be identified from the images.
- When we are photographing a wedding/portrait session – we will be photographing your friends/family/guests. We are collecting data under GDPR by photographing images of them. Whilst we believe that by attending a portrait sessions/wedding, they have a reasonable expectation that there will be a photographer there taking photographs and that there will be minimal impact on their privacy by taking or using an image online or in social media, we make it a clause in our booking form that you make your guests aware that there is a photographer present and that if anyone does not wish for their image to be captured and shared online they notify the photographer.
How is this data used?
Your name, date of birth, phone number, email address and wedding date from the contact form is used to enable this business to communicate with you and identify whether we can work with you to supply your wedding/portrait services.
The same details are gathered on your booking form to enable us to communicate with you to arrange your wedding/portrait photography services and to deliver your final product to you.
Following your wedding/portrait session we like to keep in contact with our clients and may send thank you cards, special offers or marketing information.
We do not currently have a mailing list and you will never receive spam mail from us.
How is this data held?
All data gathered as a result of an initial enquiry that does not lead to a booking (completed booking form/payment of booking fee) is retained for 12 months, then deleted. This is because wedding bookings are typically made 12 months in advance and some prospective clients often meet with several photographers before making their selection, we need to have a record of the initial enquiry and response. This data is held in a ‘lead capture form’ in our secure, GDPR compliant case management system – ’17 hats’.
For those clients who book us to be their photographers they will complete a booking form. A paper copy is obtained and kept in a secure, locked cabinet in our home office which is inside a house with good security. This is a back up system and deemed necessary just in case online computer access cannot be accessed for any reason.
A electronic record of client details is also entered into our secure, GDPR case management system 17 hats. This is the system we use to email, send invoices and communicate with our clients.
Images are captured on memory cards during your session, these are backed up onto external hard drives following the shoot and are then locked in a secure filing cabinet. It is necessary to retain these until the final product as been delivered as these serve a backup. Once the final product has been delivered these memory cards are formatted (deleted).
One copy of your images is then retained on a hard drive – in a secure locked cabinet, another is uploaded to a secure, password protected and GDPR compliant, cloud storage (dropbox). Your images are also uploaded to a 3rd party supplier – pixieset which is a secure, password protected gallery system which enables you to share your images with your family and friends. In some cases a slideshow showcasing your images is made and uploaded to a 3rd party site called animoto. This again is secure and password protected. The link will be supplied to you as the client to share with those family and friends you would like.
If you do not wish for you images to be uploaded to either the gallery or for a slideshow to be uploaded to share with your family and friends, please let us know.
Data is transferred to third parties such as our case management system, secure cloud and gallery in a secure manner – e.g. over https.
How long is my data held for?
Initial enquiry data information is held for 12 months.
Client booking information and personal photographs are held for a minimum 7 years before being confidentially destroyed. This is deemed necessary in order to keep in touch with our clients, send them special offers we feel they would like, and in case they lose their images in the event of flood, fire, accidental image deletion by the client etc.
There may be occasions where we retain the images for longer periods. As the artist, the photographer retains intellectual property rights (copyright) in the image and so we consider has a ‘legitimate reason’ to retain the image data. ‘Legitimate reason’ under the GDPR means – data is used in a way you would reasonably expect and which has a minimal privacy impact or where there is a compelling justification for the processing’.
What rights do I have?
Under GDPR – A company can collect personal data with your consent or if they have a legitimate interest in doing so (data used in a way you would reasonably expect and which has a minimal privacy impact or where there is a compelling justification for doing so).
Under the GDPR regulations you have the following rights in relation to your data –
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to date portability
- the right to object
- the right not to be subject to automated decision making profiling
- the right to be forgotten
So what specifically does this mean for our photography clients?
We love to showcase some wow shots from your day and find our clients love seeing sneak peaks online. They receive so many compliments from friends and family when I do so, but it is our duty to make you aware you have certain rights to request how your images are used.
In accordance with GDPR regulations my clients have several options when it comes to image display.
Whilst it is essential for this business to be able to showcase regular, beautiful images for marketing purposes via the website or corresponding social media channels and/or share these with co-suppliers e.g. florists, hair dressers or wedding venues it is recognised that certain clients may benefit from limitations on sharing.
Therefore clients have the right to request any of the following:-
- non-people images to be shared – eg, just details such as flowers, shoes, venue etc
- non identifiable images of people- e.g. those that show just back of couple, hands holding, just feet, no facial features on display etc.
- to request no online images be shared
- to request in writing that identifiable and commissioned images be erased from online sources at any future point in time.
We will ask our wedding and portrait clients to sign a consent form which may be incorporated into your booking form or may be a stand alone document depending on the project/occasion.
Please rest assured, we care about you and your privacy, any image data will be used appropriately and with your consent (booking form/contract).
By providing your email address to us you consent to us contacting you about your wedding/portrait session and any marketing offers we feel you may be interested in. You have the right to opt out at any time and we will remove your personal details from our system.
You will never receive spam from us.
We do not have a mailing list at this time and send personalised emails in relation to your project only.
We use a wordpress site which is secure and password protected.
Users contacting us through our website do so at their own discretion and provide any such personal details requested at their own risk. Your personal information is kept private and stored securely in our case management system, 17 hats, until it is no longer required or has no use.
We subscribe to Askimet which prevents any spam, Wordfence which puts in place various firewalls and security settings to keep our website safe and identifies any risks so we can take action and our host Sitegroud provides additional security measures. We upload our website using blogvault to a secure backup which is stored in our dropbox cloud (password protected and GDPR compliant).
All comments on blogs have to be approved by the website administrator.
This website may use tracking software from time to time to gain a better understanding of how users are using the site. This may save a cookie to your hard drive, we may discover what pages you visit for example, it does not store save or collect personal information.
External Website Links & Third parties
Although we only aim to include quality, safe and relevant external links, users are advised to adopt a policy of caution before clicking any external web links (you tube, vimeo, venue or supplier site) mentioned on our website.
We cannot guarantee or verify the contents of any externally liked website despite our best efforts. Users should therefore note they click on external links at their own risk and we cannot be held liable for any damages or implications caused by visiting any external links mentioned.
Social Media Policy
We have Facebook, Twitter and Instagram accounts. Users are advised to verify they are communicating with our official Instagram accounts before engaging with or sharing any information with such profiles. We will never ask for user passwords or personal details on social media platforms. Users are advised to conduct themselves appropriately when engaging with us on social media.
There may be instances where our website features social sharing buttons, which help share web content directly from web pages to the respective social media platforms. You use social sharing buttons at your own discretion and accept that doing so may publish content to your social media profile feed or page.
User comments will be monitored and every effort will be made to remove any inappropriate comment and where appropriate ban the user from engaging with the page (ie in the event of trolling).
Any downloadable documents, files or media via our pixieset gallery are provided to users at their own risk. All precautions have been taken to ensure online genuine downloads are available but users are advised to verify their authenticity using their party anti-virus software or similar.
We confirm that:-
- We only collect personal data in a fair, lawful and transparent manner
- We are collecting this data for a legitimate purpose, i.e. to communicate with you to identify whether we can work with you, to provide the best client experience, to deliver a finished product and to send you special offers that you may be interested in.
- We have limited the amount of information and data we request to what is relevant and necessary for processing.
- We will make every effort to keep your personal data in a manner that is secure.
- We only keep this data for as long as is necessary