Sarah Fisher Photography is committed to safeguarding the privacy of our client’s personal information and data and will comply with the General Data Protection Regulation (“GDPR”) that has come into force on 25th May 2018.
GDPR is the (EU) 2016/679 regulation in EU law on data protection and privacy for all individuals within the European Union it replaces the previous 1995 data protection directive, which current UK law is based upon.
As a business we have legitimate reasons to collect our client’s personal data to fulfil our obligations under services agreements to the client, marketing our business and to comply with legal obligations in respect of processing our accounting functions.
In addition, we have a “Legitimate Interest” in the collection and processing of visual and audio data that is also defined as “Personal Data” under the GDPR.
Summary and Key Definitions for this Policy Statement
“Company” – means Sarah Fisher Photography – The Studio, Chart Cottage, Turners Hill Road, Crawley Down, RH10 4HG – www.SarahFisherPhotography.co.uk
“Client” – means an individual person, company, or business both singular or as a collective/plural, whether currently trading with the Company or not, or making enquiries, seeking quotes or after giving specific Consent agrees to communications with/from the Company;
“Services Contract” – means any services or product provided to the Client by the Company whether under contract or not and whether written down on paper or in digital form or agreed verbally. Such services may include, but not limited to Photography, Video Filming, and Audio Recording;
“GDPR” – General Data Protection Regulation – The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018;
“Personal Data” – means any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person;
“Processing” – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Data Subject” – means a natural person whose personal data is processed by a Data Controller or Data Processor;
“Consent” – means freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their Personal Data;
“Data Controller” – means the entity that determines the purposes, conditions and means of the processing of Personal Data;
“Data Processor” – means the entity that processes data on behalf of the Data Controller;
“Data Erasure” – also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data;
“Encrypted Data” – means personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access and authority;
“Filing System” – means any specific set of personal data that is accessible according to specific criteria, or able to be queried;
“Subject Access Right” – means also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them;
“Portfolio” – means the Company’s intellectual and copyright photographic and video images along with sound and recorded audio for the purposes of our Legitimate Interest in further marketing our business to Clients via our websites, display devices such is iPads, marketing literature in paper or digital form;
Lawful Bases for Processing
The lawful bases for Processing Personal Data are set out in Article 6 of the GDPR. Sarah Fisher Photography will process Personal Data under the following lawful bases: –
- Consent: our client has given clear consent for us to process their Personal Data for a specific purpose;
- Contract: the Processing is necessary for us to comply with our Services Contract with our Client, or because they have asked us to take specific steps before entering into a Services Contract;
- Legal obligation: the Processing is necessary for us to comply with the law;
- Legitimate interests: the Processing is necessary for our Legitimate Interests or the Legitimate Interests of a third party unless there is a good reason to protect the Client’s Personal Data which overrides those Legitimate Interests.
Fair Processing Notice
During the course of our activities, the Company will process Personal Data (which may be held on paper, electronically, or otherwise) about our Clients and we recognise the need to treat it in an appropriate and lawful manner, in accordance with the Data Protection Act 1998 (“DPA”) and GDPR.
We will comply with the eight data protection principles in the DPA, which say that personal data must be:
- Processed fairly and lawfully;
- Processed for limited purposes and in an appropriate way;
- Adequate, relevant and not excessive for the purpose;
- Not kept longer than necessary for the purpose;
- Processed in line with individuals’ rights;
- Not transferred to people or organisations situated in countries without adequate protection.
We will process Client Personal Data for the Legitimate Interest of the provision of our Client Services Contracts. With Client Consent, Personal Data may also be used as Portfolio related to the marketing of our Photography, Video Filming and Audio business.
In providing services to you, we use your data in the following ways:
- To update and enhance Client records;
- For statistical analysis to help us manage our business;
- In order to complete statutory accounting and tax returns; and
- For legal and regulatory compliance.
We will only process Client Personal Data for the specific purpose or purposes notified to you or for any other purposes specifically permitted by the DPA. Client personal data will only be processed to the extent that it is necessary for the specific purposes notified.
We will keep the Personal Data we store about our Clients accurate and up to date. Data that is inaccurate or out of date will be destroyed. Please notify us if your personal details change or if you become aware of any inaccuracies in the Personal Data we hold about you.
We will not keep your Personal Data for longer than is necessary for the purpose. This means that, unless our Clients have provided Consent to continue to receive communications or marketing material from the Company, data will be destroyed or erased from our systems when it is no longer required.
Specifically, Client photographic, Video and Audio data, other than data that we are required to retain for legal reasons, will be destroyed after a standard period of 6 months following completion and delivery of the Services Contract or as agreed in the Services Contract between the parties. This will be extended to 24 months for wedding Clients who are still selecting imagery for a wedding album. Any data that we are legally required to retain will be destroyed within 6 months of that legal obligation ceasing to apply.
As a visual imagery and audio business, it is essential that we can offer Clients a selection of appropriate work to view, this work we call our Portfolio. Clients would simply not hire us if they can not review previous work, and therefore it is in our Legitimate Interest as defined under the DPA and GDPR that we use a selection of Client Photographic, Video and Audio data for this business purpose.
Client Personal Data that we have selected as “Portfolio” will be retained indefinitely or as agreed between the Client and the Company. Clients may withdraw Consent to the use of data for Portfolio or marketing purposes at any time. Any Client data used for Portfolio purposes will be destroyed within 14 days of notification of withdrawal of such Consent.
Clients have the right to:
- Request access to any Personal Data we hold about you. For Photographic, Video and Audio data this access may be limited to low quality and watermarked copies of the data that will clearly state the Company’s copyright;
- Prevent the processing of data for marketing purposes;
- Ask to have inaccurate data held amended;
- Prevent Processing that is likely to cause unwarranted substantial damage or distress to the Client or anyone else;
If a Client wishes to know what Personal data the Company holds about them, they must make the request in writing to the contact address on the Company’s website.
The Company will ensure that appropriate measures are taken against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.
The Company will have in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data will only be transferred to a third party if the third party agrees to comply with those procedures and policies, or if they put in place adequate measures to achieve the same result.
Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the Personal Data.
Contract Services may require the Company to pass on data such as photographic, video and audio files to third parties such as an online hosting platform or digital delivery provider or social media platform. The Company may also give such information to others who perform services for us, such as IT consultants. Our Company may be subjected to an audit, formal inspection or checked by our accountants, or by other professional bodies/organisations at any time. We do not normally copy such information to anyone outside the European Economic Area. All such third parties are required to maintain confidentiality in relation to your Personal Data.
Company Websites and Computers
This section is credited and used in agreement with SEQ Legal (https://seqlegal.com)
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
Cookies that we may use :-
Cookies used by our service providers
Most browsers allow you to refuse to accept cookies and to delete cookies. Blocking all cookies will have a negative impact upon the usability of our websites. If you block cookies, you will not be able to use all the features on our website.
The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
- https://support.google.com/chrome/answer/95647?hl=en (Chrome);
- https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);
- http://www.opera.com/help/tutorials/security/cookies/ (Opera);
- https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);
- https://support.apple.com/kb/PH21411 (Safari); and
- https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).
The Company may process data about your use of our website and services (“Usage Data”). The Usage Data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the Usage Data is our analytics tracking system. This Usage Data may be processed for the purposes of analysing the use of the website and services. The legal basis for this processing is Consent and our Legitimate Interest, namely monitoring and improving our website and services as an ongoing trading business.
We may process your online website account data (“Account Data”). The Account Data may include your name and email address. The source of the Account Data is you or your employer. The Account Data may be processed for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back-ups of our databases and continued communication with you. The legal basis for this processing is Consent and our Legitimate Interest, namely the proper administration and security of our website and business.
We may process your information included in your personal profile on our website (“Profile Data”). The Profile Data may include your own your name, address, telephone number, email address, profile pictures, gender, date of birth, relationship status, interests and hobbies, educational details and employment details. The Profile Data may be processed for the purposes of enabling and monitoring your use of our website and services. The legal basis for this processing is Consent and our Legitimate Interest, namely the proper administration and security of our website and business.
We may process your Personal Data that are provided in the course of the use of our website services (“Service Data”). The Service Data may include your Services Contract, products, and other Services we may have sold or offered you. The source of the Service Data is you or your employer. The Service Data may be processed for the purposes of operating our website, providing our Services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you. The legal basis for this processing is Consent and our Legitimate Interests, namely the proper administration and security of our website and business.
We may process information that you post for publication on our website or through our Services (“Publication Data”). The Publication Data may be processed for the purposes of enabling such publication and administering our website and services. The legal basis for this processing is Consent and our Legitimate Interests, namely the proper administration of our website and business.
We may process information contained in any enquiry you submit to us regarding goods and/or services (“Enquiry Data”). The Enquiry Data may be processed for the purposes of offering, marketing and selling relevant goods and/or services to you. The legal basis for this processing is Consent.
We may process information relating to our customer relationships, including customer contact information (“Customer Relationship Data”). The Customer Relationship Data may include your name, your employer, your job title or role, your contact details, and information contained in communications between us and you or your employer. The source of the customer relationship data is you or your employer. The Customer Relationship Data may be processed for the purposes of managing our relationships with customers, communicating with customers, keeping records of those communications and promoting our products and services to customers. The legal basis for this processing is Consent and our Legitimate Interests, namely the proper management and security of our customer relationships.
We may process information relating to transactions, including purchases of goods and services, that you enter into with us and/or through our website (“Transaction Data”). The Transaction Data may include your contact details, your card details and the transaction details. The Transaction Data may be processed for the purpose of supplying the purchased goods and services and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely the proper administration and security of our website and business.
We may process information that you provide to us for the purpose of subscribing to our email notifications and/or newsletters (“Notification Data”). The Notification Data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The legal basis for this processing is Consent.
We may process information contained in or relating to any communication that you send to us (“Correspondence Data”). The Correspondence Data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms. The Correspondence Data may be processed for the purposes of communicating with you and appropriate record-keeping. The legal basis for this processing is our Legitimate Interests, namely the proper administration and security of our website and business and communications with users.
We may process any of your Personal Data identified in this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our Legitimate Interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
We may process any of your Personal Data where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice and making insurance claims. The legal basis for this processing is our Legitimate Interests, namely the proper protection of our business against risks and claims.
In addition to the specific purposes for which we may process your Personal Data set out in this section, we may also process any of your Personal Data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect our vital interests, your vital interests or the vital interests of another natural person.
Please do not supply any other person’s Personal Data to us, unless we prompt you to do so.
Providing your Personal Data to Others
We may disclose your Personal Data to any member of our group of companies this means our subsidiaries, our ultimate holding company and all its subsidiaries insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy. Information about our group of companies can be found on our Websites.
We may disclose your Personal Data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
We may disclose specify Personal Data to our suppliers or subcontractors insofar as reasonably necessary for execution of our Services Contracts.
Financial transactions relating to our website and services may be handled by our payment services providers, such as PayPal or Square. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.
In addition to the specific disclosures of Personal Data set out in this section, we may disclose your Personal Data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect our vital interests, your vital interests or the vital interests of another natural person. We may also disclose your Personal Data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
International Transfers of Your Personal Data
In this Section, we provide information about the circumstances in which your Personal Data may be transferred to countries outside the European Economic Area (EEA).
The hosting facilities for our websites may be situated in countries outside the European Union. The European Commission has made an “adequacy decision” with respect to the data protection laws of such countries. Transfers to each of these countries will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the European Commission.
You acknowledge that Personal Data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use or misuse of such Personal Data by others.
It will remain our policy that we will endeavour to utilise hosting providers that have servers that reside within the European Union.