GDPR

GDPR POLICY

This GDPR policy explains how Kirsty Bowen Photography collects, uses, stores, and protects personal data in the context of school and nursery photography.

1. Data Collected
I may collect the following types of data:

  • Identity Data: first name, last name, username, marital status, title, gender.
  • Contact Data: billing address, delivery address, email address, telephone numbers.
  • Financial Data: bank account and payment card details.
  • Transaction Data: details about payments and purchases.
  • Technical Data: IP addresses, browser type, time zone, location, operating system, platform, and other device technology.
  • Profile Data: username, password, purchases or orders, preferences, feedback, survey responses.
  • Usage Data: information about how you use my website, products, and services.
  • Marketing and Communications Data: preferences for receiving marketing communications.

Sensitive Data: I do not collect any sensitive data, including details about race, religion, sexual orientation, political opinions, trade union membership, health, or biometric data.

How Data Is Collected:
  • Directly from schools, parents, or families (forms, email, phone).
  • Automatically via online galleries and website usage.

2. Legal Basis For Processing
I process personal data under these legal grounds:
  • Contract / Service Delivery: to provide school photography and deliver images and orders.
  • Consent: for marketing or promotional use of portraits offered directly to parents (see Image Consent Policy).
  • Legal obligations: e.g., financial record-keeping for HMRC.

3. How I Use Data
I use personal data to:
  • Provide photography services and deliver images to families.
  • Process orders, payments, and communications with schools and parents.
  • Maintain records to operate my business efficiently.
  • Send marketing communications only with explicit consent.

4. Sharing Data + Third Parties
Data may be shared only with:
  • Service providers necessary for photography (staff, print labs, galleries, IT support).
  • Professional advisors (lawyers, accountants, auditors).
  • Regulatory authorities, if legally required.

All third parties must process data securely, only for the purpose it was shared, and comply with GDPR.

Current third-party processors:
  • Client Management System: Dubsado
  • Client Photo Galleries: PicTime
  • School Photo Galleries: GotPhoto

Security measures:
  • Digital data is kept on password-protected, secure business systems.
  • No personal or student data is stored on unencrypted devices.
  • Hard copies of information or photos are kept in locked storage.
  • Access is limited to authorised personnel only.

5. Data Storage and Retention 
  • Student + Parent Data: Names, class information, and parent/guardian contact details are kept until galleries and orders are complete, usually 3 months after gallery delivery, then securely deleted.
  • Parental Consent Records: Is kept as a legal record for 6-7 years to demonstrate compliance with GDPR and safeguarding requirements.
  • Financial and Contractual Records: retained for 6 years to comply with HMRC requirements.
  • Delivered Images: Are retained for up to 18 months to allow for reorders or dispute resolution.
  • RAW Files: Are retained for up to 6 months solely to enable selection and editing of images for delivery or marketing purposes.
  • Marketing/Promotional Images: Only images with valid consent are kept for marketing purposes. Once consent is withdrawn, these images, including any associated RAW files are immediately and securely deleted.
  • End-of-Retention Deletion: Once the 18-month period for delivered images expires, all remaining JPGs and RAW files are securely deleted unless specific marketing consent has been obtained.

6. Safeguarding
I follow a Safeguarding Policy, ensuring:
  •  Children are protected at all times.
  •  Consent is respected and managed appropriately.
  •  Children without consent are never singled out or excluded.

For full safeguarding practices, see the Safeguarding Policy

7. Consent for Photography
  • Consent for school photography (portraits, siblings, prospectus, filming) is obtained and managed by the school. I rely on the school’s written confirmation that consent is in place before taking photos. 
  • The school confirms consent includes permission for external photographer use
  • Individual or sibling portraits offered directly to parents, I obtain explicit, documented consent for marketing or promotional use.


8. Rights of Individuals
Parents, guardians, and staff have the right to:
  • Access the information I hold about them.
  • Request correction of inaccurate or incomplete data.
  • Request deletion of data.
  • Restrict or object to processing where applicable.
  • Request data portability.
  • Withdraw marketing consent at any time.

Requests can be made via: hello@kirstybowen.com

9. Data Breaches
Any suspected or confirmed data breach will be assessed and contained immediately.
  • ICO will be notified within 72 hours if rights or safety are affected.
  • Schools, parents, and affected individuals will be informed of high-risk breaches.
  • Records of all breaches and actions taken are maintained.

10. Marketing & Image Use
  • Marketing communications are sent only to those who have explicitly opted in.
  • Images from individual or sibling portraits are only used with explicit parental consent.
  • School-led photography (prospectus or filming) is only used for marketing/portfolio if the school confirms appropriate parental consent.
  • Withdrawal of consent stops future use under my control. Requests to remove previously published materials will be respected where possible, but may not always be feasible for materials outside my direct control.

11. Accountability & Updates
  • I am responsible for GDPR compliance.
  • Procedures are regularly reviewed and updated.
  • Significant changes to this policy are communicated via my website.
  • Records of processing activities are maintained and updated.

12. Contact & Concerns
For any questions or concerns regarding GDPR or image use:

Kirsty Bowen – Business Owner
Email: hello@kirstybowen.com
Website: www.schools.kirstybowen.com

This policy is reviewed annually.
Policy last reviewed: January 2026
Signed: Kirsty Bowen