Alistair Kerr Photography understands that your privacy is important to you and that you care about how your personal data is used. I respect and value the privacy of all of my customers and will only collect and use personal data in ways that are described here, and in a way that is consistent with my obligations and your rights under the law.
1. Information About Me
Business name: Alistair Kerr Photography (also trading as Creative Mongrel).
Business type: Professional Photographer and Creative Consultant
Person with responsibility for Data Protection: Alistair Kerr (proprietor).
· Email address: please use website contact form.
· Telephone number: 01382 671010.
· Postal Address: Gauldry, Fife (also a home address - details on request, using website contact form and stating reason).
I am registered with the Information Commissioner’s Office – registration ref. ZA347190
2. What Does This Notice Cover?
This Privacy Notice explains how I use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.
3. What is Personal Data?
Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that I use is set out in Part 5, below.
4. What Are My Rights?
Under the GDPR, you have the following rights, which I will always work to uphold:
a) The right to be informed about my collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact me to find out more or to ask any questions using the details in Part 11.
b) The right to access the personal data I hold about you. Part 10 will tell you how to do this.
c) The right to have your personal data rectified if any of your personal data held by me is inaccurate or incomplete. Please contact me using the details in Part 11 to find out more.
d) The right to be forgotten, i.e. the right to ask me to delete or otherwise dispose of any of your personal data that I have. Please contact me using the details in Part 11 to find out more.
e) The right to restrict (i.e. prevent) the processing of your personal data.
f) The right to object to me using your personal data for a particular purpose or purposes.
g) The right to data portability. This means that you can ask me for a copy of your personal data held by me to re-use with another service or business in many cases.
h) Rights relating to automated decision-making and profiling: however, please note, I do not use your personal data in this way.
For more information about my use of your personal data or exercising your rights as outlined above, please contact me using the details provided in Part 11.
Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
If you have any cause for complaint about my use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
5. What Personal Data Do You Collect?
I may collect some or all of the following personal data (this may vary according to your relationship with me, and whether you are a “consumer” customer or a “business” customer):
· Email address;
· Telephone number (landline and mobile);
· Business name (or, if employed, your place of work, where relevant to providing my services and products, for example delivery of a product to your place of work);
· Job title;
· Payment information;
· Information about your preferences and interests (where relevant to providing my services and products);
· Names of family members involved in a shoot, and information about their preferences and interests where relevant to providing my services and products);
· Photographs and video, created by Alistair Kerr Photography as part of delivering my services to you;
· If you use my website (www.alistairkerr.com), I may have access to your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. I do not use this to identify you personally and it is used solely for general analysis of visitor browsing patterns and to identify popular content. The source of the usage data is my website host’s inbuilt analytics tracking system. This data may be processed for the purposes of analysing the use of the website and services. The legal basis for this processing is my Legitimate Interests, namely monitoring and improving my website and services.
Your personal data is not obtained from third parties (the only exception being where I have received a referral, in which case I will ask the other party to obtain your specific consent to share your details with me).
6. How Do You Use My Personal Data?
Under the GDPR, I must always have a lawful basis for using personal data. This may be because the data is necessary for my performance of a contract with you, or because you have consented to my use of your personal data, or because it is in my legitimate business interests to use it (in the case of legitimate interests, I will have carried out a “legitimate interests assessment” in relation to that data, as required by the GDPR). Your personal data may be used for one of the following purposes, as relevant to your relationship with me:
· Supplying my services and products to you (which may include fulfilling a prize to which you are entitled after entering a competition). Your personal details are required in order for me to enter into a contract with you and to provide you with the required level of professional service. The legal basis for this processing is the performance of a contract between us and/or taking steps to enter into such a contract.
· I may process information relating to transactions, including purchases of goods and services, that you enter into with me. This may include your contact details, your card details and the transaction details. The transaction data may be processed for the purpose of supplying the purchased goods and services and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between us and/or taking steps, at your request, to enter into such a contract and my legitimate interests, namely my interest in the proper administration of my business.
· Personalising and tailoring my services and products for you, and providing the best possible level of service (for example, I may require certain information about family members in order to provide the best service during your portrait session). The legal basis for this processing is the performance of a contract between us and/or taking steps to enter into such a contract, and my legitimate interests, namely my interest in the proper administration of my business.
· Communicating with you. This may include responding to emails or calls from you. I may process information contained in any enquiry you submit to me about my services or products. The enquiry data may be processed for the purposes of offering, marketing and selling relevant goods and/or services to you. The legal basis for this processing is the performance of a contract between us and/or taking steps, at your request, to enter into such a contract OR (depending on our relationship) my legitimate interests, namely my interest in the proper administration of my business.
· I may process personal data in the form of photographs and video I may create while providing services to you. The legal basis for this processing is the performance of a contract between us and/or taking steps, at your request, to enter into such a contract.
· I may process any of your personal data identified in this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is my legitimate interests, namely the protection and assertion of my legal rights, your legal rights and the legal rights of others.
· I may process any of your personal data identified in this notice where necessary for purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is my legitimate interests, namely the proper protection of my business and others against risks.
· With your permission and/or where permitted by law, I may also use your personal data for marketing purposes, which may include contacting you by email, and/or telephone, and/or/ text message, and/or post, with information, news, and offers on my services and products. You will not be sent any unlawful marketing or spam. I will always work to fully protect your rights and comply with my obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out. You may unsubscribe or opt-out at any time by using the unsubscribe link that will be included on all email correspondence, or by post to the address above, or by contacting me using the contact form on my website. The legal basis for this processing is consent.
7. How Long Will You Keep My Personal Data?
I will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
· If you opted-in to a mailing list (per section 6 above), your data will be retained until such time as you unsubscribe;
· If you supplied your details when entering a competition, and your entry was unsuccessful, your details will be deleted immediately unless you also opted-in to receive marketing communications (per section 6 above).
· If you supplied your details when entering a competition, and your entry was successful, your details will be retained in order to contact you and arrange fulfilment of your prize. If you choose not to claim your prize, your details will be retained (including any related correspondence) to enable me to demonstrate that I made reasonable efforts to fulfil my obligations and provide your prize. This data will be retained for 6 years.
· Customers’ details will be retained for 6 years for contractual purposes and to maintain tax records. Basic details (name, address, telephone no’s, email address, source of enquiry) to be retained for a minimum of 6 years after completion of contract, ie delivery of services and products. Data I collect from you initially may include details of family interests, childrens’ approximate ages, school attended, workplace, names of pets etc, but only insofar as this is relevant to delivery of services. This data will be deleted within one month of the viewing/ordering session. (This allows for possible errors in production of products, where this information might be needed for re-ordering, for example incorrect spelling on an album cover)
· Photographs and video created in the course of providing services to you will be retained indefinitely. This is necessary (and fairly standard practice within the industry) to provide the required level of service for customers who may need to contact me at a future date asking for copies of images they have lost, or of which they require additional copies, or where there have been changes of family circumstances. Customers will be reminded of this retention period at time of viewing/purchase. Please note, generally only those images which have been shown at your viewing will be retained, and all others will be deleted to reduce the amount of data being stored. The only exception to this is where images are retained for portfolio purposes.
· Financial details: no personal card or account details will be retained (these are entered directly into the relevant payment processor’s system at the time of taking payment from you). However, details of your order (order form, invoice, receipt etc) will be retained for 6 years for contractual purposes and to maintain tax records.
8. How and Where Do You Store or Transfer My Personal Data?
Your personal data is stored in the following ways:
· On my computer(s) and any necessary back-up devices;
· In very limited paper-based records (eg signed consent forms, and orders);
· On third party service providers’ and suppliers’ servers.
Like almost every other business, Alistair Kerr Photography uses a number of other service providers and suppliers in order to provide the services and products you require. For example, I sometimes use a password-protected online gallery service. In this digital age, many of these service providers use servers in worldwide locations, and not just in the country in which they are based. For example, a UK-based company may have servers in the United States and the EU as well as in the UK. This means that some data is “transferred” out of the EEA/ EU. This section explains what steps I take in relation to that data.
I may store or transfer (including making available remotely) some or all of your personal data in countries that are not part of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). These are known as “third countries” and may not have data protection laws that are as strong as those in the UK and/or the EEA. This means that I will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR including:
· Using only companies who are demonstrably committed to the highest levels of data protection;
· Using only established and well-tested companies with an excellent reputation;
· Reviewing, insofar as is reasonably practicable, the data protection policies they have made available;
· Ensuring that the transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
For example, where I use companies based (or having servers based) in the United States, I check that they are “Privacy Shield” certified (an agreement between the EU and the US).
Some examples of Privacy Shield certified companies I use are my website host (Squarespace) and the service I use for mailing newsletters (Mailchimp).
The security of your personal data is essential to me, and to protect your data, I take a number of important measures, including the following:
· When I need to use other service providers, I only work with companies who are committed to the highest levels of data protection, and who are established and well-tested with an excellent reputation;
· I do not collect or store any more data than I need;
· I do not store data for any longer than I need, and if details need to be retained for a longer term, for example for contractual purposes, the amount of data is kept to a minimum;
· I implement a wide range of security measures, including:- the use of fully up-to-date industry-leading antivirus software and firewall protection; adhering to established good practice in relation to internet security (eg deleting potentially malicious links from untrusted sources); use of encryption; use of secure and unique passwords; and off site backup; strong physical security precautions. I do not allow others to have access to any part of the system, remotely or otherwise. Physical (paper) records are stored and locked away securely. I operate a clear desk policy, so no records are left on view.
For security reasons, I will not provide further details of any of the above.
9. Do You Share My Personal Data?
I may contract with the following types of third parties to supply services and products to you on my behalf. In some cases, those third parties may require access to some or all of your personal data that I hold.
· I use CRM (Customer Relationship Management) software to enable me to run my business; to maintain up-to-date lists of customers and people who have expressed an interest in the services and products I offer (eg by submitting an enquiry, entering a competition, or signing up to my mailing list); to keep a record of correspondence with customers; to book, schedule and plan shoots; to process and record financial transactions; and for marketing. This inevitably includes a variety of Personal Data, which is kept both locally (on my computer(s) and backup devices) and on the CRM provider’s secure servers. No unnecessary data is obtained, and data is kept for no longer than necessary. Access to this service is password-protected.
· I may share your Personal Data with printers and framers (for supply of prints, albums etc). These companies will receive your photographs for use in providing the services and products, your name, address, and (if necessary to enable delivery), your telephone number. Photographs are uploaded to these companies’ servers. The photographs do not include any data (eg name, location) which specifically identifies you. Access to these services is password-protected.
· I may share your Personal Data with financial organisations / payment processing companies (for taking payment from you). These companies will receive your name, bank account details, and any contact details they may require for security/verification purposes. Your data will only be shared with these organisations if you purchase services or products from me. Access to these services is password-protected.
· I may share your Personal Data (in the form of photographs and/or video only, from your session) with my website provider or social media channels, who will receive any photographs I upload to them to enable me to showcase my work. This will only be done if you have specifically consented in writing to such use of photographs and video from your session (this consent is obtained at your viewing session). The photographs and video do not include any data (eg name, location) which specifically identifies you.
· I may share your Personal Data with an online gallery service (in the form of photographs and/or video only, created during your shoot) who will receive any photographs I upload to them, for purposes of allowing you to view, and possibly download, images from your shoot. The photographs and video do not include any data (eg name, location) which specifically identifies you. Galleries are password-protected and are deleted once you have viewed the photographs. Access to this service is password-protected.
· I may share your Personal Data with a digital file transfer service (in the form of photographs and/or video only, created during your shoot) who will receive any photographs I upload to them, for purposes of transmitting these to you and enable you to view, and possibly download, images from your shoot. The photographs and video do not include any data (eg name, location) which specifically identifies you. Transfers expire after 7 days. Access to this service is password-protected.
· I may share your Personal Data with online services I use to create client presentations (including software used to create MP4 movies from photographs and video, and software used to create a professional slideshow from your images) This involves only photographs and/or video, created during your shoot. The photographs and video do not include any data (eg name, location) which specifically identifies you. These companies will receive any photographs I upload to their servers in creating the presentations.
· I may share your Personal Data with online services I use to create client reports (including software used to create Creative Consultancy reports for some business customers) This involves photographs created during your shoot, and your name and business contact details. These companies will receive any photographs and other data I upload to their servers in creating the presentations. The photographs and video do not include any data (eg name, location) which specifically identifies you. Access to these services is password-protected.
· Your personal data may be transmitted via my email service provider, with encryption enabled. Any emails containing data no longer required after your shoot, viewing or order will be deleted (except where retention is required for contractual purposes). Access to this service is password-protected.
· Your personal data (in the form of your name and email address) may be shared with a bulk email service provider (such as Mailchimp) when sending you marketing communications. Access to this service is password-protected.
For reasons of security and commercial sensitivity, I have not identified these companies individually, but if you have any concerns you wish to discuss, you can contact me as per section 11 below and I may, subject to establishing that you have genuine reasons to require this information, supply you with details of these companies and their published policies regarding handling of data.
If any of your personal data is required by a third party, as described above, I will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, my obligations, and the third party’s obligations under the law.
I may sometimes contract with third parties (as described above) that are located outside of the European Economic Area (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). If any personal data is transferred to a third party outside of the EEA, I will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the GDPR, as explained above in Part 8.
In some limited circumstances, I may be legally required to share certain personal data, which might include yours, if I am involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
10. How Can I Access My Personal Data?
If you want to know what personal data I have about you, you can ask me for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal address shown in Part 11. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell me everything I need to know to respond to your request as quickly as possible.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover my administrative costs in responding.
I will respond to your subject access request within one month of receiving it. Normally, I aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex (for example, some records may also include other peoples’ data, which will need to be removed) more time may be required up to a maximum of three months from the date I receive your request. You will be kept fully informed of my progress.
11. How Do I Contact You?
To contact me about anything to do with your personal data and data protection, including to make a subject access request, please use the following details (for the attention of Alistair Kerr):
Email address: via contact form on my website.
Telephone number: 01382 671010.
Postal Address: As per section 1.
12. Changes to this Privacy Notice
I may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if I change my business in a way that affects personal data protection.
Any changes will be made available at my website (Privacy Notice).
This notice was produced on 8th May 2018. Any future revisions will be identified alphabetically, eg “Revision A, dated…..”.
This is Revision A (14 March 2019): contact details and tel. number revised; reference to Creative Mongrel added.