This policy explains:
- Who we are, and how to contact us
- When we collect personal data
- What personal data we collect, and who it relates to
- Why we process personal data
- Cookies and our website
- Recipients of personal data
- How long we store personal data for
- How we keep personal data safe
- International transfers
- Your rights as a data subject
- Updates to this policy
1. Who we are, and how to contact us
We are Andy Grimshaw Photography Limited. a limited company with registered number 04428862, having our registered office at 57 Saint Patricks Road South, St. Annes, Lancashire, FY8 1XN.
If you have questions about this policy or your personal data, please contact our Data Protection Team by writing to our office address or by emailing [email protected] with the subject line “Data Protection”.
For the purposes of applicable data protection and privacy laws (Data Protection Laws) we are a controller of your personal data. This means we are responsible for deciding how and why we use personal data, and for keeping it safe.
2. When we collect personal data
We collect personal data (meaning information which relates to an identifiable individual) in a number of ways. These are described in more detail below.
Personal data we collect from you
Often the personal data we hold is provided to us by the individual it relates to, for example when someone:
- enquires about our services (for example, by telephone or email) or fills in a form on our website;
- registers as a client; or
- provides us with their contact details and asks to receive news or correspondence.
We also process personal data relating to our dealings with an individual, which can include:
- information generated in the course of providing services;
- contact details included in correspondence (for example, email signature information);
- bank details relating to payments we receive.
3. What personal data we collect and who it relates to
Depending on our relationship with you, the personal data we process may include:
- personal details and contact information (such as name, address, telephone and email address);
- bank details (if you make a payment to us);
- correspondence and communication between you and us;
- feedback or complaints you provide about our services; and
- photographs in which you feature.
We process personal data on individual contacts at businesses and other organisations (such as professional advisers). We use this information for the purpose of our legitimate interests in running our business and building relationships with suppliers and other organisations.
4. Why we process personal data
We will either use personal data on the basis of someone’s consent (provided it is freely given, specific, informed, unambiguous and positively given) or because we need to for one or more of the following reasons:
- perform a contractual obligation we owe that individual;
- in order to comply with legal and professional obligations (such as record keeping requirements, permitting regulatory audits, or disclosing information where required by Data Protection Laws or other applicable laws); and
- to pursue our legitimate interests in operating and promoting the success of our business (such as using contact details for marketing purposes).
We use personal data to contact people from time to time. This might be because we are providing that person with services or because they have asked to hear from us.
We sometimes send emails to other companies and organisations without their prior consent. We do this in order to promote our services and build relationships. If we have contacted you like this, it is because we think these communications may be of interest or relevance to you (usually on the basis of our previous dealings with you or a recommendation from a third party).
You can change how you hear from us or unsubscribe from marketing at any time by clicking the “unsubscribe” link on any of our emails, or by emailing [email protected] and asking us to stop contacting you.
6. Cookies and our website
We do not normally collect personal data about visitors to our website unless they choose to provide such information (such by filling in a website form).
We may collect anonymous information about visitors to our website in order to optimise and improve the website. This might include IP addresses, browser or device details and the connection type (e.g. the Internet service provider used). However, none of this information will by itself directly identify any particular user.
Hyperlinks to other sites
7. Recipients of personal data
Personal data you provide to us will be kept private and confidential, and we will not disclose or share it with other data controllers for our own purposes other than in exceptional situations. For example:
- if we are legally required to disclose personal data, such as where we are required to provide information to law enforcement, or pursuant to a request from a regulator or a court order;
- if necessary with our professional advisers such as lawyers or accountants; or
- if connection with a corporate transaction (for example a merger or investment).
We sometimes share personal data with third parties who provide services to us (for example, consultants or IT service providers). However, these service providers will only process personal data on our behalf, for specified purposes, and in accordance with our strict instructions.
We only use third party service providers who have provided sufficient guarantees that your personal data will be kept safe, and we always ensure there is a written contract in place which protects your personal data and prevents it from being used for any purpose other than providing services to us.
8. How long we store personal data for
We only store personal data for as long as is necessary for the purpose(s) it was collected for, or for related compatible purposes (such as record keeping, in order to comply with legal and regulatory and requirements or because information may be required if a claim later arises).
We usually only process personal data for the duration of the services we provide then a further period for accounting requirements and to protect ourselves in case of a potential claim.
When deciding how long to retain personal data for, we will determine the appropriate retention period for personal data by considering the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Once personal data is no longer required it will be securely destroyed.
9. How we keep personal data safe
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed. These include both physical security measures (such as keeping paper files in secure premises and shredding them when no longer required) and electronic security technologies (such as device encryption, anti-virus protection and secure backups).
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to strict legal and contractual confidentiality obligations.
10. International transfers
We normally only store personal data within the European Economic Area (EEA). However, some of the third-party services we use from time to time may be provided by international organisations and/or companies which are based outside the EEA. Before using such service providers, we will take steps to make sure that any personal data they process on our behalf is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:
- ensuring the recipient is in a country which the EU Commission has deemed provides adequate protection for personal data;
- implementing appropriate safeguards such as requiring the recipient to enter into Standard Contractual Clauses approved by the appropriate data protection supervisory authorities; or
- (if the recipient is based in the USA) transferring personal data to recipients who are certified under the EU-US Privacy Shield scheme.
If none of the above apply, we will only transfer personal data pursuant to a derogation under Data Protection Law which allows us to do so.
11. Your rights as a data subject
Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:
- The right to access your personal data. This enables you to receive a copy of the personal data we hold about you.
- The right to request correction or completion of personal data. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data (though this may not apply where we have a good, lawful reason to continue using the information in question). You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- The right to object to processing of your personal data. You can object to us processing personal data for legitimate interests purposes or for direct marketing.
- The right to restrict how your personal data are used. You can limit how we use your information (primarily to storage or for use in legal claims).
- The right to have a portable copy or transfer your personal data. We will provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to automated information we process on the basis of your consent or in order to perform a contract.
- The right to withdraw consent. If we are relying on consent to process your personal data you have the right to withdraw that consent at any time.
We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.
We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.
Fees for making a request
You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
How to make a request
If you want to exercise any of the rights described above, please contact us by writing please contact us by writing to our office address or email [email protected].
Your right to complain to a supervisory authority
You have the right to complain to a data protection supervisory authority (which, in the UK, is the ICO) if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. For further information on how to make a complaint, please visit https://ico.org.uk.
12. Updates to this policy
We will update this policy from time to time, so please check back. The current version will always be posted on our website. This policy was last updated on 3 May 2018.