top of page

Sara Epstein Photography - Privacy Notice for Clients

 

Who we are:

We are Sara Epstein Photography, a professional photography business. For the purposes of this notice, the term ‘we’ encompasses all those employed by us to carry out our business, either directly or as external contractors.

Our Contact Details:

If you have any questions about this Privacy Notice, please contact: photography@saraepstein.com

1. Privacy laws

The processing of your personal data is governed by the UK General Data Protection Regulations (GDPR), as enacted by the Data Protection Act 2018.

2. The capacities in which we process data

In providing you with our services, we act as a controller of personal data (as defined by Article 4(7) GDPR) with respect to any processing for which we determine the purpose and means. This includes data that we obtain from you in order to facilitate the administration of our business relationship and the fulfilment of our contract with you.

3. The purpose of this privacy notice is;

To inform you about our processing of your data as a controller, in accordance with the ‘transparency’ requirement of Article 13 GDPR.

4. The types of personal data we collect

The personal data we use may include, but is not limited to:

  • • Your name, address and contact details, including email address and home and mobile telephone numbers;

  • • Photographs and video recordings of you;

  • • Financial data including bank account and payment card details;

  • • Personal preferences and requests;

  • • The terms and conditions of your contract with us for the provision of our services.

 

5. How we collect the personal data

Data might be collected through:

  • • Electronic, written or verbal correspondence with you;

  • • Photography and videography assignments, or;

  • • Meetings in person.

 

Should we collect data relating to you from any other source, we shall inform you of that processing as soon as practicable.

6. Providing your personal data

We will tell you if providing some personal data is optional, including if we ask for your consent to process it. In all other cases, we need you to provide your personal data so we can provide professional services to you.

7. What we use your personal data for

Provision of professional services

  • • To provide you with our professional services at your request;

  • • As necessary to support the contract with you and to allow us to receive full payment for those services;

 

Business purposes

  • • As necessary for our own legitimate interests or those of other persons and organisations, subject to your rights and freedoms as a data subject;

  • • For surveys of client experience and quality of our services;

 

To comply with a legal obligation:

  • • When you exercise your rights under data protection law;

  • • For the establishment and defence of legal rights;

  • • To investigate complaints, legal claims and data protection incidents.

 

8. The legal basis for processing

In providing you with professional services, we will process your personal data under Article 6 (1)(b) of the UK General Data Protection Regulations, on the legal basis that processing is necessary for the performance of a contract for the provision of our services, or in order to take steps at your request prior to entering into a contract, or in order to fulfil your instructions during the execution of that contract.

In addition, we may process your personal data on the following legal bases;

  1. i. Consent: where you give your consent for the processing – Article 6 (1) (a). Where you engage us to take photographs or video recordings of a person under 13 years, you will be responsible for providing that consent on their behalf;

  2. ii. Legal obligation: the processing is necessary for compliance with a legal obligation - Article 6 (1)(c);

  3. iii. Vital interests: the processing is necessary to protect someone’s life - Article 6 (1) (d);

  4. iv. Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third-party - Article 6 (1) (f). In such cases, the legitimate interest of the processor will be balanced against the rights and freedoms of the data subject to ensure no detriment is caused to the latter.

  5. v. With regard to photographic or video images captured by us in a professional capacity at an event attended by people with whom we do not have a contractual relationship, the data is processed on the legal basis of legitimate interest as described above. It is deemed by us to be impracticable and disproportionate to discharge the Article 13 transparency requirement with each individual at such events, but that this does not create a significantly adverse effect to the privacy rights and freedoms of such individuals.

 

9. Sharing of your personal data

Subject to applicable data protection laws we may share your personal data with:

  1. i. Other organisations or individuals necessary for the provision of our services and who require your data in order to meet that requirement;

  2. ii. Subject to any terms and conditions governing the copyright and use of photographs or video recordings created in our professional capacity, social media platforms, websites and other advertising and marketing media or materials. This sharing may include, with your consent, your name and written comments relating to our service;

  3. iii. Our legal and other professional advisors;

 

  1. iv. Fraud prevention agencies, credit reference agencies, and debt collection agencies;

  2. v. Government bodies and agencies in the UK and overseas (e.g. HMRC) who may in turn share it with relevant overseas tax authorities and with regulators including the Information Commissioner's Office;

  3. vi. Courts, to comply with legal requirements, and for the administration of justice;

  4. vii. In an emergency or to otherwise protect your vital interests;

  5. viii. To protect the security or integrity of our business operations and other clients;

  6. ix. Payment systems and providers; and

  7. x. Anyone other party where we have your consent or as required by law

 

10. Transfer of personal data

We do not envisage that your data will be transferred for processing to any jurisdiction outside the UK. However, in the event that such transfers do occur, and where such processors are located in a country which is not deemed by the United Kingdom to have adequate privacy standards (as defined within the Data Protection Act 2018), the transfer will be subject to a legal instrument providing appropriate safeguards in accordance with Article 46 GDPR.

11. How long do we keep your data?

We will take steps to erase payment data held by us as soon as it is no longer required. Data relating to taxation will be kept for five years from the end of the tax year to which the data relates. Other information will be kept for a maximum period of three years from the date of the termination of our professional relationship or from the last date on which we provide services to you whichever is the earlier, but may be held for longer periods where any of the following apply:

  • • Retention in case of queries. We will retain your personal data as long as necessary to deal with any outstanding queries you may have;

  • • Retention in case of claims. We will retain your personal data for as long as you might legally bring claims against us or, in the event of such a claim, until that matter is complete. This includes data which relates to our professional services and indemnity insurance, and;

  • • Retention in accordance with legal and regulatory requirements.

 

12. Your rights under applicable data protection law

Your rights are, where applicable:

  • • The right to be informed about processing of your personal data;

  • • The right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;

  • • The right to object to processing of your personal data;

  • • The right to restrict processing of your personal data;

  • • The right to have your personal data erased (the "right to be forgotten”);

  • • The right to request access to your personal data and information about how we process it;

  • • The right to move, copy or transfer your personal data ("data portability"); and

  • • Rights in relation to automated decision-making including profiling

 

You may exercise these rights by contacting us using the details given at the top of this Notice. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

 

13. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us using the details given at the top of this Notice.

You can also complain to the Information Commissioner’s Office if you are unhappy with how we have used your data;

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk 

 

Appendix A

Stipulations for acting in the capacity of a data processor

The data we process under 2(b) above will consist of data provided to us by you as its controller, in order that we may carry out processes specified by you. Where such data relates to other data subjects (your employees , contractors, clients or others) we will process it on the understanding of your compliance with the provisions of the GDPR and, in particular, that;

  • • You have met the transparency requirements of Article 13 GDPR in respect of informing those data subjects about your sharing of their data with us and our processing of it, and;

  • • You have established and documented legal bases for the processing of their data and, in particular, any special category data. Where such legal bases include the consent of the data subject, you have obtained, and documented, informed and freely given consent.

 

In acting as a data processor on your instructions, we confirm that we shall respect the privacy rights and freedoms of those data subjects whose data you share with us. In particular, and in accordance with the requirements of Article 28 GDPR, we shall;

  • • Only act on your documented instructions, unless required by law to act without such instructions or it is in the vital interests of the data subject to do so;

  • • Ensure that people processing the data are subject to a duty of confidence;

  • • Take appropriate measures to ensure the security of processing;

  • • Only engage a sub-processor with your prior authorisation and under a written contract which contains all of the technical and organisational measures necessary to ensure compliance with these stipulations and any other GDPR requirement relevant in the circumstances;

  • • Take appropriate measures to assist you to respond to requests from individuals to exercise their rights under GDPR;

  • • Taking into account the nature of processing and the information available, assist you in meeting GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

  • • Delete or return all personal data to you (at your choice) at the end of the contract, unless the law requires its storage; and

  • • Submit to audits and inspections.

 

©2022 BRP Consulting – all rights reserved

bottom of page