• privacy notices (website, clients, employees)
• data subject rights procedure
• data retention policy
• data protection impact assessment process
• record of processing activities
• personal data breach reporting process and a breach register
We will ensure that all staff who handle personal data on our behalf are aware of their responsibilities under this policy and other relevant data protection and information security policies, and that they are adequately trained and supervised. Breaching this policy may result in disciplinary action for misconduct, including dismissal. Obtaining (including accessing) or disclosing personal data in breach of our data protection policies may also be a criminal offence. The information you provide to us will be held on our computers in the UK and may be accessed by or given to our staff, for the purposes set out in this policy or for other purposes approved by you or as otherwise permitted by law. This may mean that your information is sent to computers out with the UK. We shall never sell or rent your personal information to third parties for their marketing purposes.
• The Principles of Data Protection
We comply with the data protection principles set out below. When processing personal data, we ensure that:
We will facilitate a request from a data subject who wishes to exercise their rights under data protection law as appropriate, always communicating in a concise, transparent, intelligible and easily accessible form and without undue delay.
Our Processes and Procedures
‘Data Protection Law’ includes the General Data Protection Regulation 2016/679; the UK Data Protection Act 2018 and all relevant EU and UK data protection legislation.
Your Rights as a Data Subject
Under data protection law you have rights in respect of the personal data about you that we hold and process. We have processes in place to ensure we can facilitate this.
For a list of your rights and more information please look at our policy document here: Data Protection Policy – May 2018 – SUBJECTS RIGHTS POLICY
Choosing Not To Share Your Information
We need to process your personal information to meet our contractual obligations – for our own legislative obligations – and in furtherance of the Photography services which we provide on your behalf in terms of our contract. If you fail to provide the data when requested, it may delay or prevent us fulfilling our obligations. This may mean we are unable to be your Photographer.
How We Process and Retain Your Data
We collect, store and process different types of personal information in the necessary course of our contractual obligations and the provision of Photography services to you. All our data is backed up daily to a server within the UK. We do not sell or rent your personal information to anyone.
We do not solely rely on automated decisions or processing of information for the purposes of fulfilling our legal obligations.
Who is responsible – Our Data Protection Administrator
If you have any concerns or wish to exercise any of your rights under the GDPR, then you can contact our Data Protection Administrator as follows:
Name: Darren Moore
Address: Chronicle Photography, 12 Copperwood Wynd, Hamilton, South Lanarkshire, ML3 0RP