GDPR Data Protection Notice
At Schoolpix Photography your privacy is very important to us.
It is one of our fundamental responsibilities as a business to ensure that we protect the information entrusted to us by you. This Data Protection Notice looks to answer your important questions about the processing of personal information by our organisation. Please take some time to read this Data Protection Notice carefully.
In this Data Protection Notice, we use the terms “Schoolpix” or “we” to refer collectively to businesses and its subsidiaries.
1.1. This notice has been prepared in line with our interpretation of GDPR, advice and from other informed third-party consultants. Although the we have taken reasonable precautions to ensure full compliance with GDPR, we cannot wholly accept responsibility for any loss or damage arising from its interpretation and matters which may arise which are out of our control.
With over 25 years experience in the School Photography Business we produce, consistently high quality, schools photography for schools, parents and children. We work in Primary, Secondary and Third level institutions across the country.
Our photographs may be accessed online through our password protected website, Schoolpix.ie and off line through an order form process which is facilitated by the schools we work with. We are a Sole Trader, registered in the Companies Registration Office under CRO Number 5639678.
1.2. How you can contact our business if you have any questions about your privacy rights or if you would like to change your privacy preferences, you can contact us in the following ways: Email Pix@schoolpix.ie or phone 089 6006790
If you have specific queries about this Data Protection Notice or our approach to privacy, you can also contact us directly and we will ensure that your query is treated in a confidential manner.
If you do not agree with the response you receive from us, you are entitled to lodge a complaint with the Office of the Data Protection Commissioner:
You can visit the website of the Office of the Data Protection Commissioner at www.dataprotection.ie for more details.
Office of the Data Protection Commissioner Canal House, Station Road, Portarlington, Co. Laois, R32 AP23
Phone: + 353 57 868 4800 / + 353 761 104 800 LoCall: 1890 25 22 31 Fax: + 353 57 868 4757 Email: firstname.lastname@example.org
2. How can you control the personal information you have given to us?
When your personal information is handled in connection with our product or service, you are entitled to rely on several rights. These rights allow you to exercise meaningful control over the way in which your personal information is processed. You may execute any of these rights free of charge (in certain exceptional circumstances a reasonable fee may be charged, or we may refuse to act on the request) and we may ask you to verify your identity prior to proceeding with your instruction by way of requesting additional information/documentation from you. Once we are satisfied that we have effectively verified your identity, we will respond to most requests without undue delay and within a one-month period i.e. 30 calendar days of receipt of the request. We will action your request to have your personal information corrected within 10 calendar days. These periods may be extended in exceptional circumstances and we will inform you where the extended period applies to you along with an explanation of the reasons for the extension. Further information in relation to how you may execute these rights as outlined in the Data Protection section of our notice or alternatively by contacting us using the channels outlined in this document.
For example, you are entitled to:
2.1. Access your personal information
You can look to access the personal information we hold about you by contacting us with a data access request using the channels outlined. We will endeavour to provide you with as complete a list of personal information as possible. However, it can happen that some personal information from back-up files, logs and stored records may not be included in that list as this information is not processed by us on an ongoing basis and it is not therefore immediately available. For that reason, this personal information may not be communicated to you. However, this personal information remains subject to standard data maintenance procedures and will only be processed and retained in accordance with those procedures.
2.2. Correct/ restrict /delete your personal information
If you believe that certain personal information we hold about you is inaccurate or out of date, you can look for the information to be corrected at any time using the channels outlined after we have verified the information. If you dispute the accuracy of information held, you can request that we restrict processing this information while your complaint is being examined. If you suspect that we are processing certain information without a legitimate reason or that we are no longer entitled to use your personal information, you can also ask for that personal information to be deleted.
We are not under an obligation to rectify or delete your personal information where to do so would prevent us from meeting our contractual obligations to you or where, our business is required or permitted to process your personal information for legal purposes or otherwise in accordance with our legal obligations to our Contractors, Clients or Suppliers.
We ask that you keep us informed of any relevant change in your personal circumstances to enable us to keep the information on our systems up to date and accurate.
2.3. Withdraw your consent
Whenever you have provided us with your consent to process your personal information, for example, so that we can contact you about one of our products or services, you have the right to withdraw that consent at any time through one of the channels identified. If you withdraw consent to processing (and if there is no other justification for continuing to process your information), you are also entitled to request that your personal information is deleted. Withdrawing consent does not affect the lawfulness of any processing undertaken by us based on your consent before its withdrawal.
2.4. Object to your personal information being used for certain purposes
If you disagree with the way in which we process certain information based on its legitimate interest, you can object to this through one of the channels identified. In such cases we will provide you with details regarding the rationale for processing your personal information and we will stop processing the personal information under dispute if we cannot legitimately justify the reasons for processing within the agreed timeframe. None of our operations are fully automated.
2.5. Request your personal information to be transferred in electronic form
You can (in certain cases) request that your personal information is transferred to you or to another service provider so that you can store and reuse your personal information for your own purposes across different services. We will not be in any way accountable or liable for any damage, loss or distress sustained, incurred or suffered by you and/ or the designated service provider because of improper use of the personal information upon and after receipt from us.
2.6. How to exercise your rights.You can exercise the rights outlined above free of charge by contacting us using any of the channels mentioned in this document.
3. Why do we collect and use your personal information?
We gather and process your personal information for a variety of reasons and rely on a number of different legal bases to use that information, for example, we use your personal information to process your orders, to help administer your products and services, to ensure we provide you with the best service possible, to prevent unauthorised access to your accounts and to meet our legal and regulatory obligations.
3.1. To comply with legal obligations
We are required to process your personal information to comply with certain legal obligations, for example:
3.1.1. to report and respond to queries raised by regulatory authorities, law enforcement and other government agencies such as the Central Bank of Ireland, the European Central Bank and relevant policing authorities;
3.1.2. to respond to requests from Irish Revenue in accordance with relevant tax legislation including queries relating to Foreign Account Tax Compliance Act (FATCA), stamp duty and Common Reporting Standard (CRS) and under Notices of Attachment issued by Irish Revenue;
3.1.3. to pass details of the originator or the payee to the receiving or transferring financial institution;
3.1.4. to meet regulatory information security & incident reporting requirements such as under the Directive on Security of Network and Information Systems (NIS Directive);
3.1.5. to cooperate and provide information requested in the context of legal 3.1.4. and/or regulatory investigations or proceedings;
3.1.6. To investigate allegations of fraud and prevent fraud by third parties or customers.
3.2. To enter into and perform a contract for a product or service
3.2.1. Before we provide you with products or services, we must gather some personal information to process your application and to assess the terms upon which we can enter into the contract with you. This includes, for instance, gathering and processing personal information for use on a photo shoot.
3.2.2. To manage your products or services, we must process your personal information. Examples of processing include the administration of accounts, payments, credit decisions. As part of this process, we may be required to pass some personal information to an intermediary or counterpart (e.g. if you perform a payment transaction, we pass information on the progress of the transaction to the payee concerned). In addition, we have insurance protection, which means we may be required to provide your personal information to our insurance partners in connection with the provision and administration of insurance related claims. This type of information will only be obtained and processed where necessary to process your terms of business with us, administer your account or comply with a legal obligation.
To enable us to function as a business
3.4.Consent:We will always seek consent to photograph in the schools we work with. This consent may have been gathered by the school previously or may take the form of an Opt Out notification, distributed to pupils in advance of a photo shoot.
We may use your personal information to make you aware of products and services which may be of interest to you but at this time we do not market directly to you, our customers. In the future we might like to provide you with customised offers and personalised customer service but we will ask you for your consent before we do that. You can at any time withdraw that consent through the contact channels set out.
3.4.2.Sensitive Information Consent:
We sometimes collect and process information, which may be of a sensitive nature - Your Son/Daughters Name, Class/Teacher Name, which is provided with your consent by the school. Your Name, Your School Address, & Phone Number & Email is provided by you in your business dealings with us for a product or service. This information is used to correctly match you with your Son/Daughters photograph to form part of your photo order. We delete Phone Number & Email details after we are sure your order has been collected. Your Name and School Address will remain associated with your order for Revenue Accounting regulations. We ask that you do not input your home address on orders as we only deliver to school receptions and we will never deliver to a home address. This ensures that nobody from outside your school can order your photographs.
Occasionally you may wish to make payment by credit/Debit card over the phone. The staff member you are dealing with will ask for your consent to process this type of personal information and once entered through the Paypal portion of our website the Credit / Debit card details will be destroyed. We never store your Credit/Debit card details.
4. What kind of personal information do we collect and how it is used?
The information we hold about you can vary depending on the products and services you use. This includes personal information which you give to us when you are looking for a product or service, personal information we collect automatically, for instance, your IP address and the date and time you accessed our services when you visit our websites or apps; and personal information we receive from other sources ie Schools.
Here is a more detailed look at the information we hold about you and how it is used by us:
Types of information - Identity information Photographs - Your Son/Daughters Name, Class/Teacher Name, which is provided with your consent by the school. Your Name, Your School Address, & Phone Number & Email.
Examples of how the information is used by us- We use this type of information to identify you and process your order.
Your client profile can include - Whenever a staff member meets with you or contacts you this interaction may be logged to retain a note of the interaction so that staff can deal with your queries and satisfy your requests.
Types of Information & Examples of how the information is used by us-
Images from security cameras in and around the office premises
We may use CCTV to monitor and collect images. We have a strict retention period for security cameras images but in certain limited circumstances, the recordings may be kept for longer, for instance, to provide evidence to the Gardai for investigations for criminal proceedings.
5. Do we use personal information for direct marketing?
No we do not directly market our customers currently. We will not sell or hire your personal information to third parties for their own use.
We will never use your photographs for public advertising unless obtaining your specific permission to do so. We do however show samples of our work to Garda Vetted Principals/ Deputy Principals and Parents Committees with a view to engaging our services but this will never be in a public forum
6. What about Security and Conﬁdentiality?
We use a variety of security technologies including unique passwords and procedures to help protect your personal information and photographs from unauthorised access, use or disclosure. We also take steps to ensure that only persons with appropriate authorisation can access your personal information.
6.1. Who can access your personal information within our business?
6.1.1. Only staff members who are suitably authorised and Garda vetted can access your personal information if that information is relevant to the performance of their duties, whether it be in connection with the delivery of products or services or in accordance with legal or regulatory obligations. This may include, for example, staff members working in our Photography Department, or our customer services representatives who you have dealings with.
6.2. Security measures to safeguard your personal information
We use internal technical and organisational measures to protect your personal information from unauthorised access, to maintain data accuracy and to help ensure the appropriate use of your personal information. These security measures include encryption of your personal information, firewalls, intrusion detection systems, 24/7 physical protection of facilities where your personal information is stored, background checks for personnel that access physical facilities, and strong security procedures across all service operations. We use strong encryption for the storage of your Information and store these servers behind strong physical barriers. Although every effort is made to secure your information, including but not limited to, additional security measures and features, we cannot ensure 100% the effectiveness of same.
6.3. Other restrictions on use of your personal information
We do not collect personal information on children aged under 16, unless a parent or legal guardian has given his/her consent for this. We will not sell or hire your personal information to third parties for their own use.
7. Who do we share your personal information with?
Our business sometimes shares your personal information with trusted third parties who perform important functions for us based on our instructions and applying appropriate confidentiality and security measures.
For example, we use third party service providers Photoshelter based in the US to host our website. GDPR requires that certain safeguards be put in place when transferring personal data outside the EU. PhotoShelter is already self-certified to the EU-US Privacy Shield, which allows the company to lawfully transfer EU personal data to their US-based datacenters.
For our Email we use the services of Google G Suite and Google Cloud Platform (GCP) services which are compliant with GDPR, because it offers to sign EU Model Contract Clauses and a Data Processing Amendment.
• We work through schools to communicate with you about our products and services;
• We engage the services of solicitors, accountants, auditors and other consultants to act on our behalf and work with advisors in the normal course of our business, under a strict code of confidentiality.
• We are required to cooperate by law or otherwise through a legal process with Irish and EU regulatory and enforcement bodies such as the Central Bank, the courts, fraud prevention agencies or other bodies. We are also required to report personal and account information to for tax purposes.
8. How long will we retain your personal information?
How long certain personal information is stored depends on the nature of the information we hold and the purposes for which they are processed.
We determine appropriate retention periods having regard to any statutory obligations imposed on us by law. For example, we are required to retain some customer accounting information for 6 years after the end of the customer relationship in accordance with Revenue requirements
We retain photographs minimum 6 years and sometimes indefinitely so as to be in a position to supply reprints to clients should their photographs be damaged or fade over time.
Due to the nature of our business, the purpose for which the information was obtained may have ceased and the information is no longer required, however may be in the public domain or in our archives so we may not be able to delete, or purge said information in all circumstances.
9. Updates to our Data Protection Notice
We keep this notice under regular review and from time to time will look to amend it to reflect changes to the way in which we are processing personal information. The most recent version will always be available at request or via our website. We will inform you of material changes to the content of the Data Protection Notice through a notification posted on our website or other communication channels. You will also find more information about Irish and European data protection legislation on the Office of the Data Protection Commissioner’s website at https://dataprotection.ie/docs/Home/4.htm