Privacy Policy for EJ Photography

This document outlines the privacy practices of EJ Photography, a freelance photography business based in the United Kingdom. It is designed to inform individuals about how their personal data is collected, used, stored, and protected, in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Introduction to Our Privacy Policy

1.1. Who We Are (EJ Photography as Data Controller)

EJ Photography operates as a freelance photography business based in the United Kingdom. In the context of data protection law, EJ Photography acts as the Data Controller. This designation signifies that EJ Photography is the primary decision-maker regarding the purposes for which personal data is processed and the means by which it is handled and kept secure. This responsibility extends to all personal data collected through the photography services, the online portfolio website, and the integrated online shop. As a sole trader, EJ Photography bears the ultimate accountability for ensuring that all personal information is managed lawfully, fairly, and transparently, and that individuals’ data protection rights are upheld. This foundational role means that even when engaging third-party services that process data on its behalf, EJ Photography remains responsible for ensuring their adherence to data protection standards.  

1.2. Purpose of This Policy

The purpose of this Privacy Policy is to clearly articulate EJ Photography’s commitment to protecting the privacy of all individuals whose personal data is processed. This policy serves as a transparent declaration of how personal data is collected, utilised, stored, shared, and ultimately protected, in strict adherence to the UK’s robust data protection framework, notably the UK GDPR and the Data Protection Act 2018. By providing this comprehensive information, EJ Photography aims to foster trust and confidence among its clients and website visitors, demonstrating a proactive approach to data privacy that extends beyond mere legal obligation. A clear, accessible, and comprehensive policy is not merely a legal requirement but a fundamental tool for communicating professionalism and respect for individual data rights.  

1.3. Key Definitions

To ensure clarity and understanding, the following key terms are used throughout this Privacy Policy:

• Personal Data: Any information that relates to an identified or identifiable living individual. This includes, but is not limited to, names, email addresses, postal addresses, phone numbers, IP addresses, payment details, and, critically for a photography business, photographs of identifiable living people.  
• Special Category Data: A subset of personal data that is considered particularly sensitive and requires a higher level of protection. This includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (when used for identification), data concerning health, and data concerning a person’s sex life or sexual orientation. A photograph can become Special Category Data if it reveals such sensitive information about an identifiable individual. This necessitates particular consideration for how and why such data is used, ensuring it is only processed when absolutely necessary and with extra care for its security.  
• Processing: Any operation or set of operations performed on personal data, whether or not by automated means. This encompasses a wide range of activities, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.  
• Data Controller: The natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. In this context, EJ Photography is the Data Controller.  
• Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller. Examples relevant to EJ Photography include Printful, payment gateways, and website hosting providers.  

The explicit classification of identifiable photographs as personal data, and their potential to be special category data, significantly elevates the compliance responsibilities for EJ Photography. This means that the stringent requirements of UK GDPR apply directly to the very output of the business, demanding careful attention to consent, storage, and security for all images that contain identifiable individuals.

2. Our Data Protection Principles

EJ Photography adheres to the seven core principles of the UK GDPR, which form the foundation of all data processing activities. These principles ensure that personal data is handled responsibly and ethically.  

2.1. Lawfulness, Fairness, and Transparency

EJ Photography processes all personal data in a manner that is lawful, fair, and transparent. This commitment means that personal data is always used in a way that complies with the law, is consistent with what individuals would reasonably expect, and is clearly communicated to them. To achieve lawfulness, a valid lawful basis is identified for every processing activity. Fairness dictates that data processing should not be unduly detrimental, unexpected, or misleading to data subjects. Transparency is achieved primarily through this Privacy Policy, which is designed to be clear, open, and honest about how personal data is collected, used, and shared. The policy is made easily accessible and uses plain language to ensure that individuals can readily understand how their information is handled, thereby building trust in EJ Photography’s practices.  

2.2. Purpose Limitation

Personal data is collected by EJ Photography for specific, explicit, and legitimate purposes only, and is not processed in a manner that is incompatible with those initial purposes. For example, contact details provided for a photography booking will not be used for unrelated marketing activities without separate, explicit consent. This principle ensures that data collection is always driven by a clear, defined need, preventing the arbitrary or excessive accumulation of personal information. EJ Photography maintains internal records documenting the specific purposes for which each category of data is collected, reinforcing this commitment to focused data processing.  

2.3. Data Minimisation

EJ Photography collects and processes only the personal data that is strictly adequate, relevant, and limited to what is necessary for the stated purposes. This means avoiding the collection of information “just in case” it might be needed in the future or out of mere curiosity. For instance, in photography, this principle guides the practice of taking only the necessary photos and avoiding the storage of excessive or unused images. This approach not only aligns with legal requirements but also serves as a proactive risk mitigation strategy: by holding less data, the potential impact and severity of a data breach are significantly reduced, thereby enhancing the overall security and integrity of personal information.  

2.4. Accuracy

EJ Photography takes every reasonable step to ensure that personal data held is accurate, complete, and kept up to date. In instances where inaccuracies or incompleteness are identified, whether through internal review or notification from a data subject, prompt rectification or erasure is undertaken. This commitment to accuracy is vital for both compliance and operational efficiency, particularly in e-commerce where correct shipping and contact details are essential for successful order fulfillment. When data is shared with processors, EJ Photography expects and ensures cooperation in maintaining data accuracy.  

2.5. Storage Limitation

Personal data is retained by EJ Photography for no longer than is necessary to fulfil the specific purposes for which it was collected. The UK GDPR does not prescribe fixed retention periods; instead, it requires organisations to establish and justify their own time limits based on the purpose of processing and any legal or regulatory obligations. EJ Photography has developed a comprehensive data retention schedule (see Appendix A) that outlines these periods for different categories of data. Regular reviews are conducted to identify and securely delete or anonymise data that is no longer required. For photographs, this means distinguishing between images retained for contractual purposes (e.g., product orders) and those for portfolio display where consent can be withdrawn. The option of anonymising data, such as by blurring identifiable features, allows for longer retention for statistical or historical purposes without infringing on individual identification principles.  

2.6. Integrity and Confidentiality (Security)

EJ Photography implements appropriate technical and organisational measures to ensure the security of personal data, safeguarding it against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures are designed to maintain the confidentiality, integrity, and availability of data. Technical controls include the use of secure servers, encryption for data both at rest and in transit (e.g., HTTPS for the website), and robust access controls limiting data access to only those who require it for their duties. Organisational measures encompass documented policies and procedures for data handling, regular security audits, and comprehensive staff training to ensure awareness of data protection basics and responsibilities. The proportionality of these measures is carefully considered, aligning with the sensitivity of the data and the assessed risks, ensuring continuous vigilance against evolving threats.  

2.7. Accountability

EJ Photography takes full responsibility for complying with all UK GDPR principles and actively demonstrates this compliance through appropriate measures and meticulous record-keeping. This includes maintaining comprehensive documentation of all data processing activities, decisions regarding lawful bases, data retention schedules, security measures implemented, and any data breach incidents. This principle underscores that compliance is not merely about adhering to rules but about being able to prove that adherence. For EJ Photography, this means cultivating a culture of data protection where every action related to personal data is considered, documented, and justifiable, thereby building a strong foundation of trust and regulatory adherence.  

3. Information We Collect About You

EJ Photography collects various categories of personal data to provide its photography services and operate the online shop. Data is collected directly from individuals, automatically through website interactions, and from third-party service providers.

3.1. Data Collected Directly from You

When individuals engage with EJ Photography for services, make a purchase, or communicate directly, certain personal data is collected:

• Contact and Inquiry Data: This includes names, email addresses, postal addresses, and phone numbers, along with the content of any messages or inquiries submitted through contact forms, email, or telephone.  
• Order and Transaction Data: When a purchase is made through the online shop, information necessary for processing and fulfilling orders is collected. This includes billing and shipping addresses, details of purchased products, and order preferences. While full payment card details are generally not directly stored by EJ Photography (as they are handled by secure payment gateways), information such as the name on the card, card type, expiry date, the first six and last four digits of the card number, and transaction amounts may be processed.  
• Account Information: If individuals choose to create a customer account on the website, data such as a username and password will be collected to manage their account.  
• Photography-Specific Data:
  • Identifiable Images: Photographs of individuals where their faces or other features make them clearly identifiable constitute personal data.  
  • Consent Forms: Records of explicit consent for the taking and specific uses of photographs, particularly for public display or marketing, are collected and retained.  
  • Special Category Data in Images: In certain contexts, a photograph may inadvertently reveal sensitive information that falls under Special Category Data (e.g., a visible disability, religious attire, or an event related to health). Should such data be present and identifiable, additional safeguards and explicit justification for its processing are required.  

The direct collection of identifiable images as personal data represents a unique and significant compliance consideration for EJ Photography. This means that the most stringent data protection principles apply not just to standard contact information but to the core creative output of the business.

3.2. Data Collected Automatically

As individuals interact with the EJ Photography website, certain data is collected automatically to enhance functionality, improve user experience, and ensure security:

• Website Usage Data: This includes information about how individuals navigate and interact with the website, such as pages viewed, clicks, browsing history, and the time spent on various sections.  
• Device and Browser Data: Technical information about the device and browser used to access the website is collected, including Internet Protocol (IP) addresses, browser type, operating system, and unique device identifiers. General location data may also be derived from the IP address.  
• Cookies and Tracking Technologies: The website uses cookies and similar technologies (e.g., pixels, web beacons, log files) to collect information. These can be first-party cookies (set by EJ Photography’s website to remember preferences, login status, or shopping cart contents) or third-party cookies (set by external services for analytics or advertising). For non-essential cookies, explicit, opt-in consent is required via a cookie banner, ensuring individuals have clear control over their data. Simply continuing to browse the website without actively consenting is not considered valid consent for these purposes.  

The automated collection of data, particularly through cookies, necessitates a distinct and explicit consent mechanism separate from the general privacy policy. This requires EJ Photography to implement a robust cookie consent management system that actively blocks non-essential cookies until affirmative consent is provided, a critical element of compliance.

3.3. Data Collected from Third Parties

EJ Photography integrates with various third-party service providers that process personal data on its behalf, acting as Data Processors. Information is shared with these entities to facilitate core business operations:

• Printful: As the print-on-demand and fulfillment partner, Printful receives customer order details, including names, shipping addresses, contact information, and the content (designs/images) to be printed on products. Printful acts as a Data Processor for EJ Photography’s customers, handling data according to EJ Photography’s instructions and its own privacy policies.  
• Payment Gateways: Services such as Stripe or PayPal receive billing information and payment details to securely process transactions. This data typically includes the customer’s name, email, address, phone number, city/state/zip, a unique payment identifier, and certain card details (e.g., card type, expiry date, first six and last four digits of the card number).  
• Website Hosting Provider: The company hosting EJ Photography’s website may collect log data, IP addresses, and other technical information related to website access and performance.  
• Analytics Providers: Services like Google Analytics collect aggregated and, where possible, anonymised data on website usage, browsing patterns, and traffic sources to help EJ Photography understand and improve its website.  

The reliance on third-party services establishes a controller-processor relationship where EJ Photography, as the Data Controller, remains ultimately responsible for the protection of personal data. This necessitates the implementation of Data Processing Agreements (DPAs) with these providers, legally binding them to adhere to UK GDPR standards and ensuring appropriate safeguards, especially concerning international data transfers.

4. How We Use Your Information (Purposes and Lawful Bases)

EJ Photography processes personal data for specific, legitimate purposes, each supported by a clearly defined lawful basis under the UK GDPR.

4.1. For Photography Services & Portfolio Display

• Purpose: To provide commissioned photography services, manage client bookings, deliver final photographic products, and showcase EJ Photography’s work on its online portfolio website, social media channels, and marketing materials.
• Lawful Basis:Consent.
  • Explanation: For any identifiable individuals featured in photographs displayed publicly (e.g., on the portfolio, social media, or in promotional content), explicit, freely given, specific, informed, and unambiguous consent is required. This consent must be obtained through a clear affirmative action (opt-in), such as a signed Photo/Media Consent Form. The form specifies how and where the images will be used (e.g., website, social media, print) and clearly informs individuals of their right to withdraw consent at any time.  
  • Children’s Photos: If the photographic subject is under the age of 18, consent for image use must be obtained from a parent or legal guardian. EJ Photography takes care to avoid posting close-up, identifiable images of children without explicit permission.  
  • Crowd Photography: While general crowd photographs where no single person is the main focus are typically not classified as personal data, if a photograph is cropped to focus on an individual, it becomes subject to data protection laws. For identifiable individuals in public event photos used commercially, specific consent is still required. For large-scale events, mitigating actions such as prominent signage, identifiable photographers, and systems like coloured wristbands are employed to manage consent.  
  • Special Category Data: If a photograph inadvertently reveals sensitive information (e.g., a visible disability or religious context), it is considered special category data and requires even greater protection and specific justification for its use.  

The legal basis for displaying identifiable photographs is almost exclusively consent, which places a significant operational requirement on EJ Photography to ensure that consent is correctly obtained, documented, and managed, particularly given the strict requirements for validity and withdrawal.

4.2. For E-commerce Transactions

• Purpose: To process and fulfill orders placed through the online shop, manage payments, arrange product shipping, and provide customer support related to purchases.  
• Lawful Basis:
  • Performance of a Contract: Processing customer names, addresses, contact details, and order information is necessary to perform the contract of sale with the customer, enabling order processing, product delivery, and handling of returns.  
  • Legal Obligation: Processing certain data (e.g., transaction records, payment details) is necessary to comply with legal requirements, such as tax and accounting regulations, and for fraud prevention.  

The “performance of a contract” lawful basis streamlines data processing for core e-commerce functions, as it removes the need for explicit consent for each piece of data, provided the data is strictly necessary for the fulfillment of the agreed-upon service or product.

4.3. For Website Functionality & Improvement

• Purpose: To ensure the website operates correctly, enhance user experience, analyse website traffic and performance, and identify and address security issues.  
• Lawful Basis:
  • Legitimate Interests: For processing data that is strictly necessary for the effective and secure operation of the website, such as preventing fraud, maintaining IT security, and basic, aggregated website analytics, provided these interests do not override the fundamental rights and freedoms of data subjects. A Legitimate Interests Assessment (LIA) is conducted to ensure this balance.  
  • Consent: For non-essential cookies and tracking technologies, such as those used for advanced analytics, advertising, or social media integration. This requires explicit, opt-in consent obtained via a clear cookie banner that allows granular control over cookie preferences.  

Website analytics and cookie usage present a mixed lawful basis scenario. While essential functionalities can often be justified by legitimate interests, any non-essential tracking requires explicit, affirmative consent. This means EJ Photography must ensure its website actively blocks non-essential cookies until such consent is given, and its privacy policy clearly distinguishes these uses and their respective lawful bases.

4.4. For Marketing Communications

• Purpose: To send promotional materials, newsletters, and updates about EJ Photography’s services, products, and special offers.
• Lawful Basis:Consent.
  • Explanation: For electronic direct marketing (e.g., emails, text messages, automated calls) to individuals, explicit, opt-in consent is generally required. Consent must be freely given, specific, informed, and unambiguous, meaning individuals must actively take a step to opt-in (e.g., ticking an unticked box) and can withdraw their consent easily at any time.  
  • Legitimate Interests: For postal marketing to individuals, or business-to-business marketing where personal data is involved, EJ Photography may rely on legitimate interests, provided a Legitimate Interests Assessment (LIA) demonstrates that these interests do not override the data subjects’ rights and freedoms. In such cases, a clear and easy opt-out mechanism is always provided.  

Marketing consent is subject to a high standard, demanding clear, active opt-in mechanisms and readily available withdrawal options. This requires EJ Photography to implement precise consent management for all marketing activities.

4.5. For Legal and Regulatory Compliance

• Purpose: To comply with legal obligations, respond to lawful requests from public authorities, prevent fraud, and protect EJ Photography’s legal rights and interests.  
• Lawful Basis:Legal Obligation.
  • Explanation: Processing personal data is necessary to comply with various statutory or common law obligations, such as retaining financial records for tax purposes, responding to data subject access requests (SARs), or cooperating with law enforcement investigations. This lawful basis dictates certain data retention periods regardless of other business purposes.  

5. Sharing Your Personal Information

EJ Photography shares personal data only when necessary to provide its services, operate its business, or comply with legal obligations, always ensuring appropriate safeguards are in place.

5.1. With Third-Party Service Providers

EJ Photography engages various third-party service providers who act as Data Processors to facilitate the provision of services and the operation of the website. Personal data is shared with these providers only to the extent necessary for them to perform their designated functions on behalf of EJ Photography.  

• Printful (Print-on-Demand & Fulfillment): Customer names, shipping addresses, contact details, and order content are shared with Printful for the express purpose of printing, fulfilling, and shipping products directly to customers. Printful operates as a Data Processor for EJ Photography’s customers.  
• Payment Gateways (e.g., Stripe, PayPal): Billing information and payment details are shared with secure payment gateways to process transactions. This includes information such as the customer’s name, email, address, phone number, and certain card details necessary for transaction processing.  
• Website Hosting Provider: The hosting provider may have access to data stored on EJ Photography’s website servers for operational and security purposes, ensuring the website remains accessible and secure.  
• Website Analytics Providers (e.g., Google Analytics): Anonymised or aggregated data about website usage is shared with analytics providers to monitor website performance, understand user behaviour, and improve the online experience.  
• Other Potential Service Providers: This may include providers for email marketing platforms, customer relationship management (CRM) systems, cloud storage for photo backups, and accounting software.

EJ Photography ensures that robust contractual agreements, specifically Data Processing Agreements (DPAs), are in place with all third-party processors. These agreements legally obligate the processors to protect personal data in line with UK GDPR standards, act only on EJ Photography’s instructions, and implement appropriate security measures. This rigorous approach to processor relationships is critical for maintaining accountability and mitigating risks associated with third-party data handling.  

5.2. Legal Requirements and Business Transfers

Personal data may be disclosed by EJ Photography if required by law, court order, or governmental regulation, such as in response to a valid legal process or request from a public authority. In the event of a merger, acquisition, or sale of all or a portion of EJ Photography’s assets, personal data may be transferred as part of the business assets. Such transfers would be subject to strict confidentiality agreements and would be carried out in compliance with applicable data protection laws to ensure the continued protection of personal data.  

6. International Data Transfers

EJ Photography operates within the UK, but the nature of online services, particularly with integrated third-party providers, may involve the transfer of personal data outside the UK and the European Economic Area (EEA).

6.1. Explanation of Transfers Outside the UK/EEA

Personal data collected by EJ Photography may be transferred to and stored in countries outside the UK and the European Economic Area (EEA). Such transfers are classified as “restricted transfers” under UK GDPR unless the destination country has an “adequacy decision” from the UK government, signifying that it provides an equivalent level of data protection. It is important to note that while data transfers from the UK to the EEA are permitted, and the EU has an adequacy decision for the UK (currently valid until June 2025), transfers to other countries, such as the USA, typically require specific safeguards.  

6.2. Specifics for Printful and Other Providers

As Printful, Inc. is a company based in the USA , a country that does not currently have an adequacy decision from the UK government, transfers of personal data to Printful for order fulfillment are considered restricted transfers. Similarly, other third-party service providers (e.g., certain analytics providers or cloud services) may also process data outside the UK/EEA. EJ Photography is committed to ensuring that all such international data transfers are conducted with appropriate safeguards to maintain an “essentially equivalent” level of protection for personal data as provided under UK GDPR.  

6.3. Transfer Mechanisms Used

To ensure an “essentially equivalent” level of protection for personal data transferred outside the UK/EEA, EJ Photography relies on appropriate safeguards as mandated by UK GDPR:

• International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision, EJ Photography ensures that its Data Processing Agreements (DPAs) with relevant third-party processors, including Printful, incorporate the ICO’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs). These are contractual mechanisms specifically approved by the ICO for restricted transfers from the UK, designed to provide enforceable rights and legal remedies for individuals.  
• Transfer Risk Assessment (TRA) / Transfer Impact Assessment (TIA): EJ Photography conducts assessments of the risks associated with international data transfers, particularly to countries without adequacy decisions. This involves evaluating the legal and practical landscape of the recipient country to determine whether the chosen transfer mechanism, potentially supplemented by additional technical or organisational measures, provides adequate protection.  

The post-Brexit landscape for international data transfers from the UK is distinct, necessitating the use of specific UK-approved mechanisms. This requires EJ Photography to actively verify that its processors, especially those based outside the UK/EEA, have implemented the correct contractual safeguards and to conduct due diligence to ensure robust data protection.

7. Data Security Measures

EJ Photography is committed to protecting personal data through robust technical and organisational measures, safeguarding it against unauthorised access, alteration, disclosure, or destruction.

7.1. Technical and Organisational Safeguards

A comprehensive range of measures is implemented to ensure the security of personal data :  

• Encryption: Personal data is encrypted both at rest (when stored) and in transit (when being transmitted), for instance, through the use of HTTPS for the website and secure cloud services for client files.  
• Access Controls: Strict access controls are maintained, ensuring that personal data can only be accessed by individuals who require it to perform their job functions. This includes the use of strong, unique passwords and, where available, multi-factor authentication for all systems and accounts.  
• Secure Systems and Infrastructure: EJ Photography utilises secure website hosting, firewalls, and ensures that all software and systems are regularly updated to protect against vulnerabilities.  
• Regular Security Audits and Vulnerability Assessments: Periodic assessments are conducted to identify and mitigate potential security risks and ensure ongoing compliance with security standards.  
• Physical Security Measures: For any hard copy data or physical devices storing personal information, appropriate physical security measures are implemented, such as locked filing cabinets and secure storage locations.  
• Staff Training and Awareness: All personnel involved in data processing (including the freelance photographer themselves) receive regular training on data protection basics, security best practices, and their responsibilities in handling personal data.  
• Documented Policies and Procedures: Internal policies and procedures for data handling and security are maintained to guide practices and demonstrate accountability.  

Data security is viewed as a continuous process, involving both technical infrastructure and human diligence. The measures implemented are proportionate to the sensitivity of the data handled and the risks involved, ensuring continuous improvement and vigilance against evolving cyber threats.

7.2. Data Breach Notification

In the unlikely event of a personal data breach, EJ Photography has established procedures to promptly assess, contain, and, where required by law, notify the Information Commissioner’s Office (ICO) and affected individuals without undue delay, and in any event within 72 hours of becoming aware of the breach. This commitment to timely notification is a critical legal obligation and a key component of EJ Photography’s accountability framework.  

8. How Long We Keep Your Information (Data Retention)

EJ Photography adheres strictly to the UK GDPR principle of storage limitation, ensuring that personal data is not kept for longer than is necessary for the purposes for which it was collected.

8.1. General Principles of Storage Limitation

The UK GDPR mandates that personal data be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. While the regulation does not specify fixed retention periods, it requires Data Controllers to establish and justify their own time limits based on the purpose of processing, any legal or regulatory obligations, and industry best practices. EJ Photography maintains a documented data retention policy that outlines these periods for different categories of data. Regular reviews are conducted to identify data that is no longer needed, which is then securely deleted or anonymised to prevent further identification. This ensures that data is not held indefinitely “just in case”.  

8.2. Specific Retention Periods for Different Data Types

The following table (Appendix A) provides an overview of the typical retention periods for various categories of personal data processed by EJ Photography. These periods are determined by balancing legal requirements, contractual obligations, and legitimate business needs, and are subject to periodic review and adjustment.

9. Your Data Protection Rights

Under the UK GDPR, individuals have specific rights regarding their personal data. EJ Photography is committed to upholding these rights and provides clear mechanisms for individuals to exercise them.

9.1. Right to Be Informed

Individuals have the right to receive clear, concise, and easily understandable information about how their personal data is processed. This Privacy Policy serves as the primary means of fulfilling this right, providing comprehensive details about data collection, use, sharing, retention, and individual rights.  

9.2. Right of Access (Subject Access Requests – SARs)

Individuals have the right to access and receive a copy of their personal data held by EJ Photography, along with supplementary information about its processing. Requests for access (known as Subject Access Requests or SARs) can be made verbally or in writing. EJ Photography will respond to valid SARs without undue delay and, in most cases, within one calendar month of receipt. This timeframe may be extended by a further two months for complex or numerous requests, with notification to the individual. Identity verification will be required to ensure the security of personal data.  

9.3. Right to Rectification

Individuals have the right to request that inaccurate or incomplete personal data held about them be corrected or completed. EJ Photography will respond to such requests without undue delay and within one month of receipt, taking reasonable steps to satisfy itself that the data is accurate and to rectify it where necessary.  

9.4. Right to Erasure (Right to Be Forgotten)

Individuals have the right to request the deletion or removal of their personal data where there is no compelling reason for its continued processing. This right is particularly relevant for photographs displayed based on consent, where withdrawal of that consent would typically necessitate removal. EJ Photography will comply with valid requests for erasure from active use, such as removing identifiable images from the live website portfolio or new marketing materials. However, it is important to note that images may persist in existing printed publications or certain archival materials where removal is technically impractical or where a legitimate interest for historical retention exists and is not overridden by the individual’s rights. EJ Photography will communicate clearly with individuals about what can and cannot be achieved in response to an erasure request for photographs.  

9.5. Right to Restrict Processing

Individuals have the right to request the restriction or suppression of the processing of their personal data in certain circumstances. This may apply if the accuracy of the data is contested, if the processing is unlawful but the individual opposes erasure, or if EJ Photography no longer needs the data for its original purpose but the individual requires it for legal claims.  

9.6. Right to Data Portability

Individuals have the right to obtain and reuse their personal data for their own purposes across different services. This right allows individuals to receive their personal data in a structured, commonly used, machine-readable format (e.g., CSV file) and to transmit that data to another controller without hindrance from EJ Photography.  

9.7. Right to Object

Individuals have the right to object to the processing of their personal data in certain situations, particularly where the processing is based on legitimate interests or for direct marketing purposes. If an objection is raised to direct marketing, EJ Photography will cease processing data for that purpose.  

9.8. Rights in Relation to Automated Decision-Making and Profiling

Individuals have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning them or similarly significantly affects them. EJ Photography does not currently engage in solely automated decision-making or profiling that would produce such effects. Should this practice change in the future, this policy will be updated, and specific information will be provided about the processing, the individual’s right to challenge the decision, and measures to prevent errors, bias, and discrimination. While this right is less common for photography businesses, acknowledging it demonstrates a forward-thinking approach to potential future technological adoptions.  

9.9. How to Exercise Your Rights

To exercise any of the aforementioned data protection rights, individuals may contact EJ Photography using the contact details provided in Section 11.1. All requests will be handled in accordance with UK GDPR timelines and procedures. EJ Photography may require verification of identity to ensure the security of personal data and to prevent unauthorized access.  

10. Changes to This Privacy Policy

EJ Photography may update this Privacy Policy periodically to reflect changes in its data processing practices, legal requirements, or the introduction of new services or technologies. This policy is considered a dynamic and living document, subject to regular review. Any significant changes will be communicated by posting the updated policy on the EJ Photography website. Where appropriate and feasible, individuals may also be notified through other means, such as email, before new processing activities commence.  

11. Contact Information and Complaints

11.1. Our Contact Details

For any questions, concerns, or requests related to this Privacy Policy or the processing of personal data, please contact EJ Photography using the following details:

EJ Photography Email: [email protected]
Website: https://ej-photography.org

11.2. Complaints to the Information Commissioner’s Office (ICO)

Individuals have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent supervisory authority for data protection issues, if they believe their data protection rights have been infringed.  

Information Commissioner’s Office (ICO) Contact Details:

Website: ico.org.uk
Helpline: 0303 123 1113

Appendix A: Data Retention Schedule

This table outlines the typical retention periods for various categories of personal data processed by EJ Photography. These periods are determined based on legal requirements, contractual obligations, and legitimate business needs, ensuring compliance with the UK GDPR principle of storage limitation. This schedule serves as a transparent declaration to data subjects and an operational guide for EJ Photography, demonstrating accountability for data lifecycle management.

Data Category	Types of Personal Data Included	Purpose of Processing	Typical Retention Period	Justification/Legal Basis
Customer Order Data	Names, contact details (email, phone, address), shipping addresses, purchase history, order preferences.	Order fulfillment, customer service, warranty claims, re-orders, tax and accounting compliance, dispute resolution.	6 years post-transaction.	Legal Obligation (HMRC tax records), Performance of Contract, Legitimate Interests (customer service, sales analysis).
Client Photography Consent Forms	Name, signature, date of consent, specific consent preferences for image use, identifiable images linked to consent.	To demonstrate valid consent for image display, to facilitate withdrawal of consent, for legal defence against claims.	Until consent is withdrawn, plus 1 month for administrative purposes. For images on public portfolio, removal from new publications upon withdrawal, but existing publications may retain if legitimate interest applies.	Consent, Accountability.
Website Analytics Data	IP addresses (if not anonymised), browsing history, device information, pages visited, time spent on site.	User experience optimisation, website performance analysis, site usage analysis, targeted marketing (if consented).	6 months to 2 years.	Legitimate Interests (for aggregated, non-identifiable data), Consent (for individual tracking via non-essential cookies).
Contact Form Submissions / Inquiries	Name, email address, message content, date of inquiry.	To respond to inquiries, provide customer support, improve service, and for internal record-keeping of interactions.	1-3 years from last interaction.	Legitimate Interests (customer service improvement, record-keeping), Performance of Contract (if inquiry leads to booking).
Payment Transaction Details (non-card data)	Payment amounts, dates, payment gateway transaction IDs, reference numbers.	Tax and accounting compliance, dispute resolution, fraud prevention.	6 years post-transaction.	Legal Obligation (HMRC tax records), Performance of Contract.
Marketing Data (e.g., email subscriber lists)	Name, email address.	To send marketing communications (newsletters, promotions).	Until consent is withdrawn or individual opts out.	Consent.

Appendix B: Third-Party Processors and Their Roles

This table provides details of key third-party service providers that act as Data Processors for EJ Photography, outlining the purpose of their service, the types of data shared, their role, and any implications for international data transfers. This transparency is crucial for individuals to understand the full data flow and for EJ Photography to demonstrate its accountability in managing processor relationships.

Service Provider	Purpose of Service	Type of Data Shared	Role	Location of Processing/International Transfer Implications
Printful, Inc.	Print-on-demand product fulfillment and shipping.	Customer name, shipping address, contact details, product design/content.	Data Processor	USA (International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses (SCCs) in place to ensure adequate safeguards).
Payment Gateway (e.g., Stripe, PayPal)	Secure processing of online payments.	Customer name, billing address, email, phone, unique payment identifier, card type/expiry (sensitive card numbers tokenized by gateway).	Data Processor	May involve international transfers; reliance on their Data Processing Addendum and appropriate transfer mechanisms (e.g., SCCs/IDTA).
Website Hosting Provider	Hosting and maintenance of the EJ Photography website.	Website log data (IP addresses, browser type), potentially customer account data if stored on host’s servers.	Data Processor	Varies (e.g., UK/EEA with adequacy decision, or if outside, appropriate transfer mechanisms like IDTA/SCCs).
Website Analytics Provider (e.g., Google Analytics)	Website traffic analysis, user behaviour insights, performance monitoring.	Anonymised IP addresses, browsing patterns, device information, referral sources.	Data Processor	USA (requires appropriate transfer mechanisms, e.g., IDTA/SCCs, and potentially supplementary measures).

Conclusions

This comprehensive privacy policy underscores EJ Photography’s commitment to robust data protection practices, aligning with the stringent requirements of UK GDPR and the Data Protection Act 2018. The analysis highlights several critical considerations for a freelance photography business operating an online shop:

1. Photographs as Personal Data: The core output of EJ Photography—identifiable photographs—is explicitly classified as personal data, and potentially special category data. This necessitates a heightened level of care, particularly regarding consent for public display and enhanced security measures for image storage.
2. Nuanced Lawful Bases: The business operates under various lawful bases depending on the activity. While e-commerce transactions primarily rely on “Performance of a Contract” and “Legal Obligation,” public display of photographs and electronic marketing overwhelmingly depend on “Consent.” This requires EJ Photography to implement distinct and rigorous consent mechanisms, such as dedicated photo consent forms and active opt-in for marketing.
3. Controller-Processor Accountability: As the Data Controller, EJ Photography bears ultimate responsibility for all personal data processed, including that handled by third-party processors like Printful, payment gateways, and hosting providers. This mandates the establishment of formal Data Processing Agreements (DPAs) with these entities, ensuring they comply with UK GDPR standards.
4. International Transfer Complexities: Given that key service providers like Printful are based outside the UK/EEA (e.g., in the USA, which lacks a UK adequacy decision), data transfers are “restricted.” EJ Photography must therefore ensure that appropriate transfer mechanisms, such as the ICO’s International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses (SCCs), are embedded within its DPAs. Furthermore, conducting Transfer Risk Assessments (TRAs) is crucial to evaluate and mitigate risks associated with these cross-border data flows.
5. Dynamic Compliance: Data protection is an ongoing process, not a static achievement. This policy, along with the detailed data retention schedule, reflects the need for continuous review and adaptation to evolving legal landscapes (such as the upcoming Data (Use and Access) Act) and business practices. Regular security audits, staff training, and a clear data breach response plan are essential for maintaining integrity and accountability.

By meticulously adhering to the principles outlined in this policy and implementing the specified technical and organisational measures, EJ Photography can effectively manage its data protection obligations, mitigate legal risks, and build enduring trust with its clientele.