In order to do my job and to allow me to maintain this website, I need to collect and/or store certain pieces of personal data. I never collect or store more data than I need, and I never sell it to any third party. I treat the data I collect and store with care, and ensure it is stored securely and only for as long as I require it. I will tell anyone who asks exactly what data I have stored about them and I will do so promptly and accurately. I will remove any data from my systems that you would rather I don’t store as far as practicable but if doing so might have implications for how I can do the job you’ve contracted me to do (if relevant) I will inform you of any consequences of this, so you can make an informed decision about such a request.
All data is stored and/or processed in a GDPR-compliant manner.
The full version
In addition to the below policy, data collected by visiting my website is stored through Squarespace’s data storage, databases and general Squarespace application. They store your data on a secure server behind a firewall.
The cookies my website uses are of three types:
- Statistical cookies – these allow me to identify the most and least popular pages, distinguish new visitors from returning visitors (anonymously), see when pages are visited, from what browsers or devices, and for how long. I use Google Analytics to gather those statistics and Google take their GDPR commitments seriously. These cookies don’t identify you personally, but should you wish to opt out of Google Analytics you can install this plugin in your web browser. There are 3 such cookies used – two of them are session cookies, which mean they are removed once you leave the site (and allow my analytics figure out, for instance, that you were looking via an iPhone in Safari or a Windows 10 PC in Chrome), and one is a persistent cookie which lives on your computer for 2 years once it’s created (so my analytics can figure out “oh, you're back” as opposed to “here’s someone who’s never been here before”).
- Marketing cookies – part of the Google Analytics service is something called the Google pixel. It’s a small file that allows Google to serve up ads that I might run with Google Ads to people who have previously visited my website. On the basis that if you visit my website, and I then run an ad for something, there’s a chance you’ll be interested in it. Have you ever looked at buying a robot dog on Amazon and then noticed you keep seeing ads on other websites for robot dogs for the next week? Well that’s how this works. It’s not as creepy as it seems (“hey, how do they know I want a robot dog?”) but what’s important for you to know here is that I don’t run ads on Google, so I don’t put this technology to use. It just comes bundled as part of Google Analytics. Again if you wish to opt out of Google Analytics you can install this plugin in your web browser. Facebook also has a pixel but I don’t use that currently. It’s for the same purpose, but for Facebook ads. If I ever start using it I’ll state so clearly here. And when NextBigSocialMediaChannel comes along, they might have a pixel and run ads, so I’ll also tell you about that if it ever is something I use. But right now, while there’s that one Google pixel cookie created, I don’t use any of them. Oh, and it’s also a session cookie so it is removed once you leave the website. It also only works if you’re logged into Google, so if it creeps you out, only log into Google when you need to.
- Functional/technical cookies – these are cookies that, essentially, allow the site to work. For instance to give you the best layout of the site, the website needs to know if you’re looking on a tablet or a mobile phone or a desktop etc. And rather than check this continually, it does so once and stores that file on your PC, and then just uses that file as you go from page to page to give you the optimal view of the website. There are two such cookies, both of them session cookies, so they are removed once you leave the website. The other types of cookies are those which figure out if you are someone who is logged into the website or not. Now this is not Facebook, or a site where people get logins, so the only person affected by those cookies is me – the person who updates the website (something I have to log in to do). But because the website needs to allow me to log in (and stay logged in) it does create a cookie for everyone to note if anyone is logged in. These are persistent cookies, and there are three of them.
If you’re bothered by the cookies, you might want to research how to delete them, or how to block them. Just remember if you block them you might find the website doesn’t look so great because that blocks all of them, even the functional cookies that allow the site to work.
PEOPLE WHO MAKE CONTACT WITH ME
How I store and process data from people who make contact with me
The data I gather from your contact is used to communicate with you, and to provide you with the information you require. For instance if you enquire about my availability and price for a portrait session I will need to know the date of the session and the location in order to provide you with a quote. At the enquiry stage, I will never seek additional information beyond your name, email address and a reason for your enquiry – you are free to offer further information as you see fit and I will be careful with that data also. Contact will come from one of 9 places:
- Website contact form
- Facebook message
- Instagram message
- Twitter direct message
- Whatsapp message
- SMS message
- Phone call
Lawful basis for collecting/storing the data
- My lawful basis for collecting and storing this data is legitimate interests – i.e. it is in the interest of my business to store the data required to allow me to communicate with you in response to your initial communication. I will only ever contact you back to deal with your enquiry and any follow up. Once we have concluded that discussion, I will never cold call or send you a marketing email about anything that’s not directly to do with your initial enquiry, unless you progress to being a client.
Data retention policy
- I retain contact details for people who’ve enquired in a number of places based on where the enquiry came from. All paying clients details are added to a client database on my Google Drive which itself is GDPR compliant. I log it there to be able to track the performance of by business from year-to-year. The original message may also remain accessible in my Gmail account, or my GoogleDrive/WhatsApp/Facebook/Instagram account, or as a listing in my phone’s call history. All devices that have access to such accounts are password protected and, in the case of my phone, TouchID-protected also. The detail of your enquiry is retained for as long as is necessary to ensure we no longer need to make contact.
If you wish to know what data I have stored related to you, send me email with your name and the subject GDPR request to firstname.lastname@example.org and I’ll reply to you promptly.
How I store and process data from clients
If you engage me as your photographer for a portrait session, commericial shoot, event, or any other purpose we will enter into a contractual arrangement, mutually agreed by both of us, and that contract will set out what photography services I am obliged to provide to you, as well as my fee and payment terms for that service. As well as the service of photography there may be a contractual arrangement between us regarding the provision of products (such as a framed collage or USB card). The data I gather from a client (and third parties associated with the client, such as family and friends) is used to fulfill my contractual obligations to the client. Such data may include:
- Details of your family, friends, employees where required (first names only)
- Your postal address/Eircode
- Your family home address/Eircode
- Your phone number
- Details of your event
- Your religion (e.g. by knowing that a wedding is, for instance, taking place in a Catholic church)
- Your sexual orientation (e.g. by knowing that a wedding is, for instance, a same-sex wedding)
Lawful basis for collecting/storing the data
- My lawful basis for collecting and storing this data is contractual obligation – i.e. in order to fulfil my contractual obligation to my clients I am required to collect and store that data to allow me to complete the shoot and deliver the final product(s). I will only ever contact you in relation to your photoshoot, be it in the future or the past, where we have not fully closed out all details of the contract. Under the lawful basis of legitimate interests, from time to time I will contact former clients who have not yet ordered an album, and who have not expressed a desire to NOT order an album, to enquire if they wish to select their photos for an album. Where clients request me to no longer contact them about an album I will cease doing so.
Data retention policy
- I retain contact details for clients in an excel sheet on Google Drive which itself is GDPR compliant. I retain it there indefinitely, as I retain your images, so that should you ever lose access to your images I am able to provide you with fresh access. If I don’t store your contact details for as long as I store the images, I can not make any connection between your images and you in the future. For all other information related to your event – including details of third parties such as family and friends – I delete those details once I have fulfilled my contractual obligation. Contracts are retained indefinitely for tax and auditing purposes. Photographs are retained indefinitely and securely archived in password protected hard drives.
Use of your images
Online storage of images
- My client galleries are all stored in ShootProof for a period of 2 weeks only. The ShootProof account is password protected and a professional-grade service with high end security to protect the images. My galleries are all not searchable and many are unlisted, meaning only those with a direct link (and/or a password) can access them. My lawful basis for storing these images is contractual obligation, and I retain them indefinitely for the client’s benefit. Such a gallery may be shown by me to prospective clients in order to sustain my business, under the lawful basis of legitimate interests.
Blog and social media use of images
- With the explicit consent of the client (verbal and/or written) as the lawful basis, and in the case of photographs of children, with the consent of the parent/guardian (verbal and/or written secured directly or via the client), I may publish a selection of images from a shoot on my blog, or in my social media feeds. Consent may be conditional on the client previewing the images first if desired, and is not required by the contract (i.e. it will be freely given). Consent can be withdrawn at any stage. Failing a withdrawal of consent, images posted to my blog and/or social media feeds will remain there indefinitely to provide a visual history of my business to prospective clients.
- It is necessary for me to show my best images to prospective clients, as well as a consistent and regularly updated sample of my work. My “shop window” for doing this is my website. From time to time, therefore, I will add portfolio images to my website to promote my business. My lawful basis for doing so is legitimate interests, and in choosing which images I post, I will take into consideration the consent (or lack of consent) for blog and social media use, as well as the content of the image itself, in order to fairly balance the rights of those contained in the image against the interests of my business. For commercial clients, or where a confidentiality clause has been agreed with the client, I will adhere to such a clause. Where I wish to post an image from a client who has not explicitly consented to blog and social media use of images, and while relying on legitimate interests as the lawful basis for sharing portfolio images on my website, I will inform the client of my intended use of the image in advance and reasonably consider requests to not proceed with the use. It’s important to distinguish this use case from the blog/social media use case which is under the lawful basis of consent from the client. It is in the interest of my business to be able to show current work of a high standard on my website from a range of recent client shoots. However it is not required that I show all images, or indeed images from all shoots.
- In the interest of continual professional development, I frequently enter my best images into awards programmes – including the IPPVA Awards. My lawful basis for doing so is legitimate interests, and in choosing which images I enter, I will take into consideration the consent (or lack of consent) for blog and social media use, as well as the content of the image itself, in order to fairly balance the rights of those contained in the image against the interests of my business. For commercial clients, or where a confidentiality clause has been agreed with the client, I will adhere to such a clause. Where I wish to enter an image from a client who has not explicitly consented to blog and social media use of images into an awards programme, and while relying on legitimate interests as the lawful basis for doing so, I will inform the client of my intended use of the image in advance and reasonably consider requests to not proceed with the use.
If you are a former/future client and wish to know what data I have stored related to you, send me email with your name and the subject GDPR request to email@example.com. If you previously consented to my use of your images for blog/social media use and wish to withdraw that consent, you can do so by sending me an email with your name and the subject Consent withdrawal to firstname.lastname@example.org. In both cases I’ll reply to you promptly.
GUESTS AT EVENTS
My style of event photography involves photographing everything related to the event. This requires me to photograph event guests, but equally because I market myself as such a photographer, it requires me to show photographs of people other than my clients.
My policy regarding photographs of guests
- It is not possible (nor required by GDPR) for me to seek consent of event guests to take their photographs. Additionally, my lawful basis for showing such images on my blog, social media, and/or website portfolio is legitimate interests because my business is only sustained by showing photographs that fit with my style of photography. GDPR makes no declaration regarding photographs of third parties. Nor does it generally seek consent as a requirement to take or show photographs. More relevant in this instance is general privacy law. In order to balance the rights of guests who appear in my photographs against the legitimate interests of my business, I apply the following two tests:
- As a guest at the event, would that person reasonably have expected to have appeared in such a photograph?
- If someone published that photograph of me on their website/blog/social media channel, would I be likely to be put out by that or feel it infringed my rights in some way?
- The fair and reasonable answer to BOTH of those questions dictates the balance between the legitimate interest of my business and the rights of event guests who appear in my photographs and only where I feel both are fairly balanced will I publish a photo of an event guest on my blog/social media channel/website. At any stage should you, as a guest, express a preference not to appear on my blog/social media channel/website, I will immediately comply with such a request. In complying with such a request, where I feel the image in question is of particular importance to my business, I may enter into an open and transparent conversation with you to seek your consent for continued use of the image in circumstances that you are happy with.
If you wish to discuss my use of an image of you as a wedding guest, send me email with your name and the subject Event guest image use to email@example.com and I’ll reply to you promptly.