GDPR also stands for 'Get Dozens of Photographers Raving' and was designed to create mass hysteria within an industry of small, independently run businesses who happen to work with people’s faces. Are faces personal data? Even the ICO jury is out on that one.
Anyway, the gist of all this is we need to be compliant in handling your data (which as responsible peeps we already are, but we need to make things super-duper clear to keep those GDPR bods happy).
In a nutshell, you can use this website without the need to provide any personal data, should you wish to, but If you want to purchase goods or services from Twig’s Branch Photography (incorporating Branch Out Makeup) then some data transfer (that’s talking and filling out forms to you and me) will become necessary.
This policy sets out how and why we collect any of your personal information, how it is processed and how it is kept secure. By using this website, or engaging with us to enquire about or purchase any of our goods or services, you are agreeing to be bound by this policy.
Any and all personal data captured will be in line with the GDPR and any UK data protection regulations (we know we’ve suddenly got serious but we felt we needed to at this point in case the GDPR police are reading).
So, as your eyes are now probably starting to glaze over, let’s try and put this simply.
HOW DO YOU COLLECT DATA?
We suck out your soul via the webcam…. only kidding! We collect data in a variety of ways including, but not limited to, the contact form on this website, via email, social media or phone. When we enter into a contract with you we will collect data that way and we may also collect data via cookies (not the biscuit kind, the type on websites - more on this later).
WHAT INFORMATION DO WE COLLECT?
We only collect data that is necessary for us to do our jobs (which you probably want us to do since you’re paying us to do it).
We collect your name, so we don’t have to call you Sir or Madam (unless you want us to), and your contact details so we can communicate with you.
In order to provide photographic services to you, we take and store photographs from your event. Your photographs are stored for as long as the hard disks are functional in order to provide copies should you lose your photographs. This service is provided as a legitimate interest (see the ICO website for further information on this if you really want to).
Should you wish us to remove your photographs from our hard disks and backups after we’ve delivered your photos, we will do so if you provide confirmation in writing (although we only advise this if you are a super organised person who has never lost anything. Ever. As once we erase your images from our files there is no going back in time Terminator style to resurrect them).
Makeup clients will be asked to provide data such as known allergies or skin conditions to fulfil our health & safety obligations.
We never, ever capture credit or debit card numbers. These are all handled via our card processing service.
HOW WILL YOU USE MY DATA?
This is pretty straightforward, we are not going to use your data to contact you about a really cool Netflix show we’ve recently binge-watched. Even if it is REALLY cool. But we will use your information to contact you about the job you have enquired about or booked with us.
We may also use your data in the general running of our business. For example, we like to show off our work (it's pretty awesome) so we may, for example, post photos from your wedding in a variety of places (this is done via that legitimate interest clause we were talking about earlier. Basically, as a photography company, we need to be able to use images for promotional purposes as it’s what we do - this is permitted under the ICO’s regulations).
Should any member of your wedding party not wish to be included in shared images, please let us know in writing (this can be via email, you don’t actually have to be archaic and put pen to paper). In addition, we also provide you with the ability to opt out of our use of images as part of your contract.
Notice we only mention weddings here - for all other types of photography; boudoir, lifestyle (which may include children) and corporate we will ask you to complete a separate consent form and will never post any identifying images without your approval (we may use images whereby you cannot be identified, for example, images that may not show your face or recognisable features). Images captured under Trade for Print (TFP) arrangements are exempt from this consent.
We may also take photos of our makeup clients, if you wish to opt out then the option to do so will be clearly marked on your contract.
Places we may post images include;
This snazzy website
In blogs and on other websites
Print media &| marketing materials (including brochures, business cards, posters, magazines and newspapers)
On social media
To other suppliers (for example your wedding makeup artist or florist may wish to have images for their own portfolios)
How, Where and for how long Do You Store My Personal Data?
Your personal data (including photos of your lovely faces) is stored for a minimum of 7 years (to comply with our legal obligations). Electronic files are kept on password protected devices. Any paper copies are filed in a secure premises to which only Twig’s Branch Photography staff have keys.
Do You Share My Personal Data?
With the exception of photographs, personal data held by us is used only to fulfil contractual obligations, respond to communications, and for boring legal purposes such as filing tax returns. When it comes to your photographs, the EU hasn’t gotten too specific about what that means for working photographers, bar that we need to ‘demonstrate reasonable and legitimate use.’ What we can tell you is that we won’t sell your wedding photos to be used in a haemorrhoid commercial, or any such like, and we will always ask you to confirm whether or not you are happy for your images to be shared.
EXTERNAL DATA PROCESSORS
In addition to collecting data ourselves, we also use a variety of data processors. These are listed below.
Dropbox - this is a service providing an online hosting of data, including images. We may store your photos on Dropbox as it is an easy method of transferring files. Dropbox self-certify as being compliant with Privacy Shield, so are compliant with GDPR.
Mailchimp - provides email mailing lists. We may use Mailchimp to send you details of news, special offers and promotions. Mailchimp holds names and email addresses. They self-certify as being compliant with Privacy Shield, so are compliant with GDPR. We retain data via legitimate interest.
iZettle - a tool for accepting credit and debit card payment. iZettle is PCI-DSS Level 1 certified aid and therefore compliant with GDPR. We retain 7 years of data in order to be compliant with legal obligations.
Google Analytics - a service which provides information about how visitors use a website. We use the information to add bells and whistles to our site. Google is fully GDPR compliant.
Like many other websites, Twig’s Branch Photography uses website cookies. These store information on your computer and allow us to improve our website in a variety of ways through the use of aggregated data. It is possible to switch off cookies by setting your browser preferences. In some cases, turning cookies off may result in a loss of functionality when using certain parts of our site.
Your security is very important to us. As we said way back in the beginning (anyone remember that long ago?!) we are nice people. We take all reasonable steps to ensure that data is held and processed securely. This includes ensuring our site is SSL certified. Basically this means you can tell our site is secure by the web prefix https (if a site is not secure it will display http only).
This Policy & access to your information
If you are concerned about any information we hold about you please email us at firstname.lastname@example.org or write to us at; Twig’s Branch Photography, 29 Corbett Close, Telford, TF4 3JQ and mark your correspondence ‘GDPR.’
GDPR compliancy achieved!
Congratulations! We all made it to the end of this document in one piece! Ultimately, these new EU regulations require us to just do stuff that’s already fairly within the realms of our job roles - so we guess all you really need to know is that we are nice human beings who want to be able to do our jobs, but who won’t take the proverbial.