Data Protection Notice
Effective 25th May 2018
We respect your trust in us to use, store and share your information. In this notice, we explain how we collect personal data about you, how we use it and how you can interact with us about it.
In order to process personal data about an individual, we must do so in a way that is fair and that meets the principles set out in the EU General Data Protection Regulation (GDPR). The principles require that personal data is processed in a transparent manner which means that individuals should be provided with specific information about how we use their personal data.
We try to keep this notice as simple as possible but if you are unfamiliar with any of our terms or want more detailed information, please see our Data Protection Policy or contact us via the details set out below.
Who we are:
'gpfoto.ie' is a business name registered to Gerald O’Sullivan. When we say 'gpfoto', 'us', 'our' or 'we', we are referring to Gerald O’Sullivan. Our registered office is situated at The Mill, English Row, Celbridge Co. Kildare Ireland.
GPFOTO is the 'data controller' for the purposes of applicable data protection laws.
Our data protection representative is Gerald O’Sullivan who may be contacted by writing to the above address or by email to ( [email protected] )
Why we process your data, the lawful basis for processing your data and who we share it with
We are a sports photography agency and attend sporting events nationwide and internationally. We attend these events to take photographs for sale to the public (these includes selling online through our website to parents and players)
The legal basis for our processing is based on article 6(F) GDRP. This provides where processing is necessary for the purposes of legitimate interests except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Where photographs are being taken at an event attended by large crowds, it is not possible to obtain the consent of all attendees. However, we promote and encourage all sporting organisations to have clear signs around the venue indicating that photos are being taken. If we take a photo of any individual who wishes to have the image deleted, we will immediately remove the material from our website and destroy the image.
We are often engaged by entities to take photographs to promote their brand or product. The legal basis for our processing is to comply with our contractual obligations with this third party. As part of our contractual arrangement we impose a pre-condition to state that the third party who has commissioned us has obtained clear written or verbal consent from the data subject (individual) involved. In some cases, we are considered to be a data processor as the image is taken under direction of another. Again, if anybody contacts us to request an image to be taken down, it is our policy to do so immediately and advise the contracting party to resolve this issue.
Where any images are taken of children, it is our policy to protect the fundamental rights and freedoms of every child. If we attend an event and an image is taken of a child, who is not the focus of the image e.g. in the crowd, it is not always possible to obtain parental consent. However, if we take a photograph where a child is the main focus of the image, we will ensure clear parental or child consent is obtained. Likewise, where we are to attend any underage / school event, it is our policy to impose a pre-condition on all organisations / schools to ensure they have consent of each parent or child that it is freely-given, specific, informed and unambiguous, made by way of a clear statement or affirmative action for the child's images to be taken. In some cases, we are considered to be a data processors. As with all our images, if any parent or child requests an image to be taken down, we will do so without question.
GDPR recognises the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression. Irish legislation provides for exemptions or derogations from GDPR if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information. GPFOTO's endeavours to comply in all manners with GDPR, but given the nature of the business, it may at times need to rely on the derogations provided for this purpose.
How we keep your data safe'
We have implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through our business and our website. When you contact us to ask about your information, we may ask you to prove your identity. This is to help protect your information.
How long we keep your data for'
Where we have a contractual arrangement with an individual / organisation, we will retain the personal data for the duration of the contract and for a period of time after that. Where we do not have a contractual arrangement, all images are routinely reviewed and as part of our overall policy on an annual basis and where we believe it is no longer necessary to retain the image, it is deleted. We do not hold any images for longer than is necessary.
Your data and third parties
As well as transferring images to third parties as set out above, we also share information with core services providers required for this part of our business to function. This may include companies who we engage to provide IT support, process payments, pick and pack orders, make deliveries, print materials or customer services.
We expect these third parties to have the same levels of data protection that we have.
Transfers of data outside the European Economic Area
We may transfer data relating our web services to service providers such as Google Analytics who are located outside the EU. We expect the same standard of data protection to be applied outside the EU and have safeguards in place.
Your rights relating to personal data
You have the following rights under the GDPR, in certain circumstances and subject to certain exemptions, in relation to your personal data:
∙ right to access the data - you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
∙ right to rectification- you have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
∙ right to erasure - you have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
∙ right to restriction of processing or to object to processing - you have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
∙ . Right to data portability - you have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.
In order to exercise any of the rights set out above, please contact us at the contact details at the start of this data protection notice.
If we are processing personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal.
Automated decision-making and profiling
We do not use any personal data for the purpose of automated decision-making or profiling.
Making a Complaint
If you have any complaint about the use of your personal information, please contact us at the contact details set out above. Please be assured that all requests and / or complaints received will be fully investigated and acted on without any delay.
You can also contact the Data Protection Commission in Ireland at www.dataprotection.ie