Data Protection Policy

Rebecca Douglas LTD trading as Rebecca Douglas Photography

Introduction

Rebecca Douglas LTD trading as Rebecca Douglas Photographyis committed to protecting the privacy and personal data of individuals in accordance with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws in the United Kingdom.

This policy outlines our commitment to data protection and the procedures we have in place to ensure the lawful and secure handling of the personal data belonging to our customers, suppliers, employees, workers, contractors, website users and other third parties (past or present).

This policy is an internal document which should not be shared with third parties without the consent of Rebecca Douglas.

Scope

This policy applies to all employees, contractors, and third parties who handle personal data on behalf of Rebecca Douglas LTD, who must comply with it at all times.  A failure to comply will expose Rebecca Douglas LTDto the risk of substantial fines.

It covers all personal data collected, processed, and stored by our business operations.

Data Protection Principles

We adhere to the following data protection principles:

a. Lawfulness, fairness, and transparency: Personal data is processed lawfully, fairly, and transparently.  We provide detailed, specific information to data subjects as to how we collect, store and use their personal data, in the Privacy Notice on our website. 

b. Purpose limitation: Personal data is collected and processed only for specified, explicit, and legitimate purposes.  We do not use personal data for new purposes, unless we disclose this to the data subject and obtain their consent.

c. Data minimization: Only the minimum necessary personal data is collected and processed for the intended purpose.  You may only collect and process personal data for purposes connected with your job.

d. Accuracy: Personal data is accurate, kept up to date regularly, and necessary steps are taken to rectify inaccuracies.  Inaccurate or out-of-date personal data must be corrected or destroyed.

e. Storage limitation: Personal data is stored for no longer than necessary for the purpose specified at the time it was collected.  

f. Integrity and confidentiality: Appropriate technical and organisational measures are implemented to ensure data security, and to prevent unauthorised processing or accidental loss, destruction or damage.  Particular care is taken with the security of special category data.  Data is not transferred to another country without appropriate safeguards in place.

g. Accountability: We demonstrate compliance with data protection laws and are accountable for our data processing activities.

Data Collection and Processing

We only collect and process personal data that is necessary for our legitimate business purposes or as required by law.

We collect personal data in a way which is lawful and transparent, and provide individuals with appropriate notices and information regarding the processing of their data.

We take steps to ensure that personal data is accurate, up to date, and relevant for the intended purposes.

Lawful Bases for Processing

We identify and document the lawful bases for processing personal data.  These lawful bases include processing data for the performance of a contract, to meet our legal obligations, to protect Rebecca Douglas LTD’s legitimate interests, or where the data subject has given their consent.  

Consent requires an affirmative action from the data subject, and can be withdrawn.

Consent must be obtained and documented where we are processing special category data or data relating to criminal convictions.  We keep records of all consents.

Consent must also be obtained for electronic direct marketing, for example by email and text.  If a customer opts out of receiving direct marketing, we shall comply with that request immediately. 

Data Subject Rights

We respect and facilitate the exercise of data subject rights, including the right to access, rectify, erase, restrict processing, object, and data portability.

We acknowledge requests to exercise data subject rights promptly and process them within the timelines set by UK GDPR.

You should forward any data subject access request to Rebecca Douglas.

Data Security

We implement appropriate technical and organisational measures to ensure the security and confidentiality of personal data.

Measures include, but are not limited to restricting access to data to those who need to know and are authorised to access it; encryption; regular system updates and patches; secure storage and transmission of data and staff training on data protection and security.

Data Breach Management

We have procedures in place to detect, report, and investigate data breaches promptly.

Data breaches are reported to the ICO and affected individuals in compliance with our legal requirements.

Remedial actions are taken to mitigate the impact of data breaches and prevent future occurrences.

If you know or suspect a data breach has taken place, you should contact Rebecca Douglas immediately on hello@rebeccadouglas.co.uk.  You must preserve all evidence relating to the data breach.

Data Sharing and Transfers

Personal data should only be shared with third parties if they need to know the information, the data sharing is in compliance with our Privacy Notice and any necessary consent has been obtained, and the third party has the required data security standards, policies and procedures in place.

If personal data is transferred to third parties or outside the UK, appropriate safeguards and mechanisms, such as data protection agreements or Standard Contractual Clauses, are in place to ensure the protection of personal data, or where the data subject has provided explicit consent to the transfer.

Training and Awareness

We provide regular training and awareness programs to employees regarding data protection laws, policies, and best practices.

All employees and contractors are expected to comply with this policy and take responsibility for protecting personal data.

Compliance Monitoring and Review

We regularly review and update our data protection practices to ensure ongoing compliance with UK GDPR and other applicable data protection laws.

We keep full and accurate records of all our personal data processing activities, including processing activities and purposes, third party recipients of data, data storage locations and data transfers.

Compliance with this policy is monitored, and any breaches or non-compliance are appropriately addressed.

Contact Information

Individuals can contact Rebecca Douglas regarding any data protection concerns, questions, or requests by using the following contact details: hello@rebeccadouglas.co.uk

This Data Protection Policy is an integral part of our commitment to protecting personal data and complying with data protection laws. It is reviewed periodically and updated as necessary.  This Data Protection Policy was last updated on 1st Feb 2024

Rebecca Douglas LTD

1st Feb 2024