GDPR Compliance

Last updated: January 2024

This page provides detailed information about how sternig-painting complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting your personal data and being transparent about our data processing activities.

Our Commitment

As a data controller, we are responsible for determining how and why personal data is processed. We take this responsibility seriously and have implemented measures to ensure our compliance with data protection legislation.

Our approach to data protection is built on the principles of transparency, fairness, and accountability. We process personal data only when we have a lawful basis to do so, and we ensure that data is handled securely throughout its lifecycle.

Lawful Bases for Processing

Under UK GDPR, we must have a valid lawful basis for processing personal data. The bases we rely upon include:

Contractual Necessity

When you commission our photography services, we process your data to fulfil our contractual obligations. This includes using your contact details to schedule sessions, processing payment information, and delivering final images.

Legitimate Interests

We may process data based on our legitimate business interests, provided these do not override your fundamental rights. Examples include maintaining client records for future reference, analysing website usage to improve our services, and protecting against fraud.

Consent

Where we rely on consent, you have the right to withdraw that consent at any time. Consent is typically used for optional communications such as newsletters or promotional updates.

Legal Obligation

Certain data processing is required by law, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

Your Rights Under UK GDPR

The UK GDPR provides you with specific rights regarding your personal data:

Right to Be Informed

You have the right to know how your data is being used. Our Privacy Policy and this GDPR page provide this information. We also inform you at the point of data collection when appropriate.

Right of Access

You can request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will respond within one month of receiving your request, though this may be extended by two months for complex requests.

Right to Rectification

If the information we hold about you is inaccurate or incomplete, you have the right to have it corrected. Please contact us if you believe any of your details need updating.

Right to Erasure

Also known as the "right to be forgotten," you can request that we delete your personal data in certain circumstances. This right is not absolute and may be limited by our legal obligations or legitimate interests in retaining data.

Right to Restrict Processing

You can request that we limit how we use your data in certain situations, such as when you contest the accuracy of the data or have objected to our processing.

Right to Data Portability

Where we process data based on consent or contract and use automated means, you have the right to receive your data in a structured, commonly used format and to transmit it to another controller.

Right to Object

You can object to processing based on legitimate interests, and we must stop unless we demonstrate compelling legitimate grounds that override your interests. You can object to direct marketing at any time, and we will comply without exception.

Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Data Protection Measures

We have implemented the following measures to protect personal data:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls limiting data access to authorised personnel
  • Staff training on data protection responsibilities
  • Secure backup procedures with tested recovery processes
  • Data minimisation practices to collect only what is necessary
  • Regular review and deletion of data no longer required

Data Breach Procedures

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. If the breach is likely to result in high risk to you, we will also notify you directly and without undue delay.

International Data Transfers

When we transfer personal data outside the UK, we ensure appropriate safeguards are in place. This may include relying on adequacy decisions, standard contractual clauses, or binding corporate rules where applicable.

Children's Data

We do not knowingly collect personal data from children under 13 without parental consent. When photographing minors, we obtain consent from a parent or guardian and process their data in accordance with applicable law.

Exercising Your Rights

To exercise any of your data protection rights, please contact us using the details below. We may need to verify your identity before processing your request. Most requests are free of charge, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

Supervisory Authority

If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk

Contact Our Data Controller

For any questions about this GDPR information or to exercise your data protection rights:

Email: [email protected]
Address: Unit 14, Riverside Studios, 47 Whitworth Street West, Manchester, M1 5WQ

We aim to respond to all data protection enquiries within 5 working days and to complete formal requests within the statutory timeframe of one month.