Company & Contact Information
This Privacy Notice is provided by Heather De Rosevere, trading as a Sole Trader as De Rosevere Photography (“DRP”, “me”, or “I”). It covers your rights in relation to the Data Protection Act 1998 (“DPA”), the General Data Protection Regulation (“GDPR”) and the Privacy and Electronic Communications Regulations (“PECR”).
This Notice explains how I comply with the DPA, GDPR and PECR. I am both the controller and a processor of all personal data collected. This Notice is updated whenever changes are made to relevant data protection legislation.
Date this Notice was last modified: 28th March 2021
Your rights under GDPR
The rights relevant to this business are:
- Right to be informed about the collection and use of your personal data.
- Right to access your personal data, and any supplementary information which constitutes personal data.
- Right to have your personal data rectified; this means you can ask me to correct your personal data if it changes, turns out to be inaccurate, or is incomplete.
- Right to have your personal data deleted; this means that you have the right to request the deletion or removal of your personal data. Note there are some circumstances when you do not have this right.
- Right to restrict me processing your personal data.
- Right to object to me processing your personal data.
If you’d like to know more please see the Information Commissioner’s Office here.
The data I collect, and what I use it for.
Your contact details:
The website and email systems automatically remember the contact details for anyone who sends a message, and my phone will remember your number. I’m likely to attach notes to these details for reference, but I won’t use it for anything else or pass it on to anyone. If you haven’t hired me and you’d like me to delete any of this information you can let me know at any time.
If you have hired me then I’ll need to keep some information to do business with you. Most of the information forms part of our contract, such as your name(s), the date and location of your event, contact details, and delivery address. This information is kept secure to the best of my ability and is never passed directly to any third party except where the law requires it.
Note that I may need to pass information to a second photographer for weddings, for example if they are doing prep shouts at a home address, but they will not store any data as per their contract with me.
Sometimes there is the potential for some information about you to end up with another company whose services I use, either to fulfil my contract with you, or to help me run my business. An example of this might be an accountant, auditor or solicitor. If I give any information to another company, it is only to fulfil my obligations as a business or my contract with you. I never give or sell information for any third party to use however they see fit.
Cookies and website tracking:
The site itself directly records who accesses it. This doesn’t technically rely on cookies but may include their use. From this I know your IP address, what computer you’re using, and what browser you’re using. From your IP address it is possible to find your approximate location, usually only as precise as your nearest large city.
Photography and your image as personal data
The old Data Protection Act (DPA) and the new General Data Protection Regulation (GDPR) don’t cause any big problems with photography at your average event. Both of these laws define a person’s image (eg a photo of them) as personal data which should be protected like any other personal data, however they also limit this requirement to situations in which we have a good reason to take/process a person’s data, the person has a reasonable expectation of privacy, and that the data can be used to identify the person.
Obviously being hired to photograph a wedding for example is a good reason to photograph the people at a wedding, and most people would expect photos to be taken at a wedding, so there’s no reasonable expectation of privacy to deal with there. This is generally also true of any public space.
Copyright and usage issues are covered in detail in our contract, but speaking generally about the privacy aspects, I might promote my business and services by using an image of you, your guests, or your event, or by quoting you. I will never sell any image without the specific and expressed consent of the original client and, within reason, any people identifiable in the image.
Because I don’t index any of the faces in our images, going through them all to find any occurrence of a particular person or people is a long painstaking process. If I have been hired for a wedding or other event, and you believe that your guests may have a reasonable expectation of privacy, you might like to make sure they are aware that there will be photography. If you or any of your guests would specifically prefer to avoid having their photo taken or published, I can certainly try to accommodate it, but it would make things much easier if you tell me before the event, and point out the people in person. They may still appear in the background sometimes but I can ensure the image doesn’t get used as promotional material in any public space.
Storage of records
Your details will be kept for as long as it takes to fulfil our contract. Beyond that I retain records for 5 years, along with all records required to run my business, and will then remove them. I will also retain all images for 2 years, and remove all unused images after 5 years. I will retain some images for promotional purposes depending on space constraints, and if I deem them still relevant to running the business.
If you would like me to delete your personal data at any time after I have fulfilled our contract and before the 5 years, you have the right to ask me to do so.
If you would like to know more or have a complaint
By using this site and/or engaging with me, you agree to be bound by this Notice. You have the right to withdraw your consent to be bound by this Notice at any time. If you wish to do so, please use the contact form. You also have the right, to withdraw your consent to my processing your personal data, and ask me to remove it. If you have any queries about what data I have and how I use it, please do get in touch. As well as the right to withdraw consent and exercise any of the above rights mentioned under ‘Your rights under the GDPR’, you also have the right to raise a complaint with a regulatory body. In the United Kingdom, this is the Information Commissioner’s Office (ICO). If you have concerns about the way your data is being processed by an organisation, you can find out more here.