This policy explains the types of personal data we (Mike Barrett Photography) may collect about you when you interact with us. We collect and process data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. We do not disclose data to any third parties unless disclosure is necessary for the fulfilment of a service; you have specifically given consent for a particular service; or we have a legitimate interest in disclosing data. Instances in which we do disclose data to third parties are outlined below.
If you have any questions not answered by this policy, please contact us.
‘Mike Barrett Photography’ provides a wide range of photographic services and holds personal data on its students, clients and their employees, to provide its services.
This policy explains how and why we collect personal information about individuals and how we use that information. It explains the legal basis for this and the rights you have over the way your information is used. For the purposes of the General Data Protection Regulations (GDPR) and any subsequent UK legislation covering Data Protection, the Data Controller is Mike Barrett Photography.
If you have any queries about this Policy or concerning your personal information please contact us by email at email@example.com
- What personal information do we collect?
The type and amount of personal data we collect depends on why you are providing it.
If you are requesting a course or workshop information or are wanting to make a booking or buy a product we will collect your name, address and/or email address and telephone number and the details of the service(s) which you are interested in.
If you are booking a course or workshop or are wanting to make a booking or buy a product as an individual, data that we may need to collect could include your name, gender, date of birth, photo ID, address and/or email address, telephone number, relevant qualification details and credit or debit card details.
If you are a company booking a course or service or buying a product on behalf of an individual, we will collect your business name, company address, telephone number and email address as well as the details outlined above for each of the individuals training with us or wanting to use one of our services or buy one of our products.
- How we collect information
We may collect information from you whenever you contact us or have any involvement with us, for example when you:
- Contact us in any way including by phone, email, online, social media or post
- Enquire about our services
- Visit our website
- Sign up to receive news about our services
- Post content onto our website or social media sites
- Apply for a job
- Attend one of our events
- Attend any of our courses and workshops
- Where we collect information from
We collect information:
- From you when you give it to us directly: You may provide your details when you ask us for information or attend a course.
- When you give it to us indirectly: Your information may be shared with us by other 3rd party organisations such as Emagister etc.
- How we use your personal information
We may use the information provided by you in a number of ways which reflect the legal basis applying to processing your data. These include:
- To provide you with written information that you have requested or correspondence you have sent us (for example requesting course, workshop or service information)
- To provide you with specific information relating to any course(s) or workshop(s) or service(s) that you have booked
- For carrying out your obligations under a contract between us
- To process finance or funding applications
- To process job applications
- To provide you with communications with your consent that may be of interest to you including marketing information about our services and relevant legislative changes that may be relevant to you
- For analysing the operation of our website and analysing your website behaviour to improve the website and its usefulness
- Analysing your data and seeking your views so that we can make improvements to our services
- For accurately maintaining our organisational records and ensuring we know how you prefer to be contacted
- Our legal basis for processing your information
The use of your information for the purposes set out above is lawful because one or more of the following applies:
- Where you have provided information to us for the purposes of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent to us using the information for that purpose, based on the way that you provided the information to us. You may withdraw consent at any time by emailing us at firstname.lastname@example.org This will not affect the lawfulness of processing of your information prior to your withdrawal of consent being received and actioned. (Applies to 4.1, 4.2, 4.3, 4.5, 4.6).
- It is necessary for us to hold and use your information so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to prior to entering into a contract. (Applies to 4.3, 4.5).
- It is necessary to comply with our legal obligations (for example processing and retaining records relating to payroll, pensions, VAT, and insurance). (Applies to 4.2, 4.3, 4.4, and 4.5, Article 9(2) of the GDPR.
- Where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that it is necessary for your legitimate interests that we provide the information or service requested, and given that you have made the request, would presume that there is no prejudice to you in our fulfilling your request. (Applies to 4.1, 4.2, 4.3, 4.4, 4.7, 4.8, 4.9).
- How do we protect your personal information?
We understand the importance of security of your personal information and take appropriate steps to safeguard it.
Credit/debit card payments are processed either through secure terminals requiring your authorisation or by third-party PCI-compliant payment gateways through secure servers, and card details are securely destroyed immediately after processing.
However, no data transmission over the internet can be guaranteed to be 100% secure. So while we strive to safeguard your information, we cannot guarantee the security of any information you provide online and you do this at your own risk.
- Who has access to your information?
We always ensure only authorised persons have access to your information, which means only our staff and contractors, and everyone who has access is appropriately trained to manage your information. People who may have access to your information include:
- Third parties who provide services for us, including our printing and mailing distributor, our IT Support provider and the banks that process payments on our behalf. We select our third-party service providers with care. We provide these third parties with the information that is necessary to provide the service and we will have an agreement in place that requires them to operate with the same care over data protection as we do.
- Analytics and search engine providers that help us to improve our website and its use.
Owing to matters such as financial or technical considerations the information you provide to us may be transferred to countries outside the European Economic Area (EEA), which are not subject to the same data protection regulations as apply in the UK. We meet our obligations under GDPR by ensuring that the information has equivalent protection as if it were being held within the EEA. We do this by ensuring that any third party processing your data outside the EEA either benefits from an adequacy determination for GDPR purposes and/or, where appropriate, we have entered into a Data Processing Agreement which contains model EU clauses.
We may also disclose your personal information if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction, or where doing so would not infringe your rights, but is necessary and in the public interest.
Other than this, we will not share your information with other organisations without your consent.
We would really appreciate it if you let us know if your contact details change. You can do so by contacting us at email@example.com
- Cookies and IP addresses
Cookies are small pieces of information sent by a web server to a web browser, which enable the server to collect information from the browser. They are stored on your hard drive to allow our website to recognise you when you visit.
- How long will we keep your personal information?
We will retain your personal data for as long as is necessary for the relevant activity. Students, client’s employee’s Personal information will be stored in accordance with any applicable laws and kept for as long as required, Manual data booking forms will be kept for a three-year period, this data would then be shredded and destroyed. Email enquiries direct into Mike Barrett Photography will be deleted after a 3 Month period. Please see our retention policy which is available on request by emailing firstname.lastname@example.org
Where we rely on your consent to contact you for direct marketing purposes, we will treat your consent as lasting only for as long as it is reasonable to do so. This will usually be for two years. We may periodically ask you to renew your consent.
If you ask us to stop contacting you with marketing or fundraising materials, we will keep a record of your contact details and limited information needed to ensure that we comply with your request.
- Your rights
You have the right to request details of the processing activities that we carry out with your personal information through making a Subject Access Request. To make a Subject Access Request please contact email@example.com marking your email ‘Subject Access Request’.
From 25 May 2018 you also have the following rights:
- The right to request rectification of information that is inaccurate or out of date
- The right to erasure of your information (also known as “the right to be forgotten”)
- The right to restrict the way in which we are dealing with and using your information
- The right to request that your information be provided to you in a format that is secure and suitable for re-use (also known as “the right to portability”)
- Rights in relation to automated decision making and profiling including profiling for marketing purposes.
All of these rights are subject to certain safeguards and limits or exemptions, details of which can be found in our Data Protection Policy (available from firstname.lastname@example.org).
If you are not happy with the way we have processed or dealt with your information, you can complain to the Information Commissioners Office. Further details can be found here https://ico.org.uk/concerns/
- Changes to this policy
We review this policy regularly, and if we make any significant changes we will advertise this on our website. Do please check this policy each time you consider giving your personal information to us.