GDPR
GDPR POLICY
This GDPR policy explains how Kirsty Bowen Photography collects, uses, stores, and protects personal data in the context of school and nursery photography.
This policy applies to schools, nurseries, parents, guardians, staff, and individuals whose personal data may be processed as part of photography or filming services.
This policy should be read alongside the Privacy Policy, Image Consent Policy, Safeguarding Policy,
Data Processing Agreement (DPA), and applicable photography contracts.
1. UK GDPR Compliance
Kirsty Bowen Photography processes personal data in accordance with:
Procedures and systems are regularly reviewed to support lawful, fair, secure, and transparent processing of personal data.
2. Role of the Parties
For school and nursery photography services:
For direct-to-parent services:
The school or nursery remains responsible for determining and managing the lawful basis for pupil photography and filming activities.
Kirsty Bowen Photography relies on the written information, permissions, and restrictions provided by the school or nursery at the time of the session.
3. Personal Data Processed
I may collect the following types of data:
How Data Is Collected:
4. Lawful Basis for Processing
Personal data may be processed under one or more of the following lawful bases:
For school and nursery photography services, the school or nursery remains responsible for determining and managing the lawful basis for pupil photography and filming.
5. How Personal Data Is Used
Personal data is used for:
Images are only used for marketing or promotional purposes where appropriate consent has been confirmed in accordance with the Image Consent Policy.
6. Consent and Image Use
For school and nursery photography services, the school or nursery remains responsible for managing consent and lawful basis requirements for pupil photography and filming.
Kirsty Bowen Photography relies on the consent information and restrictions provided by the school or nursery at the time of the session.
For direct-to-parent portrait services, identifiable images are only used for marketing or promotional purposes where explicit consent has been obtained directly from a parent or guardian.
Further information is available in the Image Consent Policy.
This policy should be read alongside the Privacy Policy, Image Consent Policy, Safeguarding Policy,
Data Processing Agreement (DPA), and applicable photography contracts.
1. UK GDPR Compliance
Kirsty Bowen Photography processes personal data in accordance with:
- UK GDPR
- Data Protection Act 2018
- Applicable safeguarding and child protection requirements
Procedures and systems are regularly reviewed to support lawful, fair, secure, and transparent processing of personal data.
2. Role of the Parties
For school and nursery photography services:
- The school or nursery normally acts as the Data Controller
- Kirsty Bowen Photography acts as the Data Processor acting on the school’s instructions
For direct-to-parent services:
- Kirsty Bowen Photography may act as Data Controller for gallery delivery, customer communication, order fulfilment, and marketing consent management
The school or nursery remains responsible for determining and managing the lawful basis for pupil photography and filming activities.
Kirsty Bowen Photography relies on the written information, permissions, and restrictions provided by the school or nursery at the time of the session.
3. Personal Data Processed
I may collect the following types of data:
- Identity Data: first name, last name, username, title.
- Contact Data: billing address, delivery address, email address, telephone numbers.
- Financial Data: bank account and payment card details.
- Transaction Data: details about payments and purchases.
- Technical Data: IP addresses, browser type, time zone, location, operating system, platform, and other device technology.
- Profile Data: purchase history, gallery preferences, feedback, and communication records.
- Usage Data: information about how you use my website, products, and services.
- Marketing and Communications Data: preferences for receiving marketing communications.
How Data Is Collected:
- Directly from schools, parents, or families
- Automatically via online galleries and website usage.
4. Lawful Basis for Processing
Personal data may be processed under one or more of the following lawful bases:
- Performance of a contract
- Legitimate interests
- Legal obligations
- Consent, where required for marketing or promotional image use
For school and nursery photography services, the school or nursery remains responsible for determining and managing the lawful basis for pupil photography and filming.
5. How Personal Data Is Used
Personal data is used for:
- Providing photography and filming services
- Producing and delivering galleries and products
- Processing orders and payments
- Customer communication and support
- Managing bookings and administration
- Maintaining business and financial records
- Meeting legal, accounting, and regulatory obligations
Images are only used for marketing or promotional purposes where appropriate consent has been confirmed in accordance with the Image Consent Policy.
6. Consent and Image Use
For school and nursery photography services, the school or nursery remains responsible for managing consent and lawful basis requirements for pupil photography and filming.
Kirsty Bowen Photography relies on the consent information and restrictions provided by the school or nursery at the time of the session.
For direct-to-parent portrait services, identifiable images are only used for marketing or promotional purposes where explicit consent has been obtained directly from a parent or guardian.
Further information is available in the Image Consent Policy.
7. Sharing Data + Third Parties
Personal data may be shared with trusted service providers where necessary for delivering photography services, including:
- Service providers necessary for photography (staff, print labs, online gallery providers, IT support, Postal service).
- Professional advisors (lawyers, accountants, auditors).
- Regulatory authorities, if legally required.
All third parties must process data securely, only for the purpose it was shared, and comply with GDPR.
Current third-party processors:
Current third-party processors:
- Client Management System: Studio Ninja
- Client Photo Galleries: PicTime
- School Photo Galleries: GotPhoto
All third-party providers are required to process personal data securely and only for authorised purposes.
Personal data may also be disclosed where required by law or regulatory obligation.
8. International Transfers
Some service providers may process data outside the United Kingdom or EEA.
Where this occurs, appropriate safeguards are used in accordance with UK GDPR requirements.
9. Data Security
Appropriate technical and organisational measures are used to protect personal data, including:
- Password-protected systems
- Secure cloud storage
- Restricted file access
- Secure gallery systems
- Controlled device access
- Secure transfer methods where appropriate
Access to personal data is limited to authorised persons only.
10. Data Retention and Deletion
A two-stage storage system consisting of Active Storage and Archive Storage is used.
Personal data is retained only for as long as reasonably necessary for:
- Service delivery
- Customer support and reorders
- Legal and accounting obligations
- Safeguarding and consent records
- Business administration and dispute resolution
Typical retention periods include:
- Student and parent data - approximately 3 months after gallery completion
- Delivered images - up to 18 months
- RAW files - up to 6 months
- Financial and contractual records - 6 years
- Consent records - 6 to 7 years where required
Where marketing consent is withdrawn, future public use will cease and images will be removed from active marketing use within a reasonable timeframe.
Data is securely deleted or archived once no longer required.
11. Data Subject Rights
Under UK GDPR, individuals may have rights including:
- Access to personal data
- Correction of inaccurate data
- Restriction of processing
- Objection to processing
- Erasure where applicable
- Withdrawal of marketing consent
- Data portability where applicable
Requests should be submitted in writing to: hello@kirstybowen.com
Where processing is controlled by a school or nursery, requests relating to pupil photography may need to be directed to the school or nursery as Data Controller.
Individuals also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
12. Data Breaches
Any suspected or confirmed personal data breach will be assessed and managed promptly.
Reasonable steps will be taken to:
- Contain and investigate the issue
- Reduce potential impact
- Notify the relevant school or nursery where required
- Comply with applicable reporting obligations
Where legally required, breaches will be reported to the ICO within the required timeframe.
Records of significant breaches and actions taken are maintained.
13. Artificial Intelligence and Automated Processing
Pupil images and personal data will not be:
- Used to train AI or machine learning systems
- Uploaded to AI image generation systems for analysis or synthetic creation
- Used for facial recognition development
- Used in automated profiling systems
Unless explicitly authorised in writing by the relevant Data Controller and supported by an appropriate lawful basis and consent where required by law.
14. Safeguarding and Confidentiality
Photography and filming services are carried out in line with safeguarding and child protection best practice.
Children without consent for photography are managed discreetly in accordance with information and procedures provided by the school or nursery.
Further safeguarding information is available in the Safeguarding Policy.
15. Accountability and Policy Review
Kirsty Bowen Photography maintains procedures intended to support compliance with UK GDPR and the Data Protection Act 2018.
Policies and procedures are reviewed periodically and may be updated from time to time.
The latest version of this policy will always be available on the website.
16. Contact Information
Kirsty Bowen Photography
Email: hello@kirstybowen.com
Website: Kirsty Bowen Photography Schools
Policy last reviewed: May 2026
Signed: Kirsty Bowen
