1. Categories of Personal Data and Processing Purposes
What personal data do we process about you and why?
You may use the Website without providing any personal data about you. In this case, we will collect only the following metadata that result from your usage of the Website: browser type and version, operating system and interface, website from which you are visiting us (referrer URL), webpage(s) you are visiting on our Website, date and time of accessing our Website, and internet protocol (IP) address.
Your IP address will be used to enable your access to our Website. The metadata will be used to improve the quality and services of our Website and services by analysing the usage behaviour of our users.
If you create an account on our Website you will be asked to provide the following personal data about you: name, gender (salutation), postal address, email address, telephone number, selected password for your account and your preferences in receiving marketing from us (voluntary). We process such personal data for purposes of account administration, answering your queries or information requests, providing desired products or services, providing you with marketing materials where you have provided consent for us to do so, to the extent permitted by applicable law, analysing your interests for marketing purposes, improving our Website according to usage patterns, and for technical administration or other purposes to which you have agreed.
1.3 Product Orders
If you order a product via our Website we collect and process the following personal data about you: name, gender (salutation), postal address, email address, telephone number, payment details, invoicing and delivery address, type and amount of product, purchase price, order date, order status, customer care requests, and your preferences in receiving marketing from us (voluntary). We process such personal data for purposes of carrying out the contractual relationship and the product order, providing customer care services, compliance with legal obligations, defending, establishing and exercising legal claims, providing you with marketing materials where you have provided consent for us to do so, to the extent permitted by applicable law, and analysing your interests for marketing purposes.
If you participate in a competition, we collect and process the following personal data about you: name, gender (salutation), postal address, email address, telephone number and selection as winner. We process such personal data for purposes of carrying out the competition, informing the winner, delivering the prize to the winner and providing you with marketing materials where you have provided us consent to do so, to the extent permitted by applicable law, and analysing your interests for marketing purposes.
If you request to receive our newsletter, we collect and process the following personal data about you: name, address, date of birth, gender (salutation) and email address, and your preferences in receiving marketing from us via emails, SMS or postal mails (voluntary). We process such personal data for purposes of providing the newsletter and other marketing materials to the extent permitted by applicable law and where you have provided us consent to do so and analysing your interests for marketing purposes.
2. Processing Basis and Consequences
What is the legal justification for processing your personal data and what happens if you choose not to provide it?
We rely on the following legal grounds for the collection, processing, and use of your personal data:
o your consent to the processing of your data for one or more specific purposes;
o the processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract;
o the processing is necessary for compliance with a legal obligation to which we are subject;
o the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where your interests or fundamental rights and freedoms do not override those interests;
o the provision of your personal data is required by a statutory or contractual obligation. The provision of your personal data is necessary to enter into a contract with us or to receive our services/products as requested by you. The provision of your personal data is voluntary for you.
Not providing your personal data may result in disadvantages for you, for example, you may not be able to receive certain products and services. However, unless otherwise specified, not providing your personal data will not result in legal consequences for you.
3. Categories of Recipients and International Transfers
Who do we transfer your personal data to and where are they located?
We may transfer your personal data to third parties for the processing purposes described above as follows:
o Within the Company:
Our Franchise Branches (each franchise including us referred to as "Branch"; collectively, the "Company") within the Company may receive your personal data as necessary for the processing purposes described above. Depending on the categories of personal data and the purposes for which the personal data has been collected, different internal departments within the Company may receive your personal data. For example, our IT department may have access to your account data, and our Accounts and Administration departments may have access to your account data or data relating to product orders. Other departments within the Company may have access to certain personal data about you on a need to know basis.
o With data processors:
Certain third parties, whether affiliated or unaffiliated, may receive your personal data to process such data under appropriate instructions ("Processors") as necessary for the processing purposes described above, such as website service providers, order fulfilment providers, customer care providers, marketing service providers, IT support service providers, and other service providers who support us in maintaining our commercial relationship with you. The Processors will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard the personal data, and to process the personal data only as instructed.
o Other recipients:
We may transfer - in compliance with applicable data protection law - personal data to law enforcement agencies, governmental authorities, judicial authorities, legal counsel, external consultants, or business partners. In case of a corporate merger or acquisition, personal data may be transferred to the third parties involved in the merger or acquisition. We will not disclose your personal data to third parties for advertising or marketing purposes or for any other purposes without your permission. Any access to your personal data is restricted to those individuals that have a need-to-know to fulfil their job responsibilities.
The personal data that we collect or receive about you may be transferred to and processed by recipients that are located inside or outside the European Economic Area ("EEA"). For recipients located outside of the EEA, some are certified under the EU-U.S. Privacy Shield and others are in countries with adequacy decisions and, in each case, the transfer is thereby recognised as providing an adequate level of data protection from a European data protection law perspective. Other recipients might be in countries which do not adduce an adequate level of protection from a European data protection law perspective. We will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. With respect to transfers to countries not providing an adequate level of data protection, we will base the transfer on appropriate safeguards, such as standard data protection clauses adopted by the European Commission or by a supervisory authority, approved codes of conduct together with binding and enforceable commitments of the recipient, or approved certification mechanisms together with binding and enforceable commitments of the recipient.
4. Retention Period
How long do we keep your personal data?
Your personal data will be retained as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
5. Your Rights
What rights do you have and how can you assert your rights?
Right to withdraw your consent:
If you have declared your consent regarding certain collecting, processing and use of your personal data (regarding the receipt of direct marketing communication via email, telephone/SMS and postal), you can withdraw this consent at any time with immediate effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal. Please contact us as stated in Section 6 below to withdraw your consent. Further, you can object to the use of your personal data for the purposes of marketing without incurring any costs other than the transmission costs in accordance with the basic tariffs.
Additional data privacy rights:
Pursuant to applicable data protection law, you may have the right to:
(i) request access to your personal data;
(ii) request rectification of your personal data;
(iii) request erasure of your personal data;
(iv) request restriction of processing of your personal data;
(v) request data portability; and/or
(vi) object to the processing of your personal data (including objection to profiling).
Please note that these rights might be limited under the applicable data protection law.
Further information on your rights to the extent that the GDPR applies:
o Right to request access to your personal data:
You may have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to request access to the personal data. This access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals may restrict your right of access. You may have the right to obtain a copy of the personal data undergoing processing free of charge. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
o Right to request rectification:
You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
o Right to request erasure (right to be forgotten):
Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.
o Right to request restriction of processing:
Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In such case, the respective data will be marked and may only be processed by us for certain purposes.
o Right to request data portability:
Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.
o Right to object:
Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. Such right to object may especially apply if we collect and process your personal data for profiling purposes in order to better understand your interests in our products and services or for direct marketing. If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by us. You may exercise this right by contacting us as stated in Section 6 below. Such a right to object may, in particular, not exist if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded. If you no longer want to receive direct marketing via email, telephone/SMS, and postal, you need to withdraw your consent as explained at the start of Section 5.
To exercise your rights, please contact us as stated under Section 6 below. You also have the right to lodge a complaint with the competent data protection supervisory authority.
6. Questions and Contact Information
Alternatively, we can be contacted by telephone 01342 894519 (our lines are open 9am-4:30pm (UK Time) Monday to Friday.
The postal address for DE Photo is:
DE Photo, Unit 19 Lambs Business Park, South Godstone, Surrey, RH9 8LJ, United Kingdom