GDPR Compliance

Your data protection rights under UK data protection legislation

Our Commitment to Data Protection

Brisk Whisper is committed to protecting and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we comply with these regulations and what rights you have regarding your personal data.

Data Controller Information

For the purposes of data protection legislation, the data controller is:

Brisk Whisper Photography
Unit 12, Warehouse Quarter
45 Hackney Road
London E2 7NX
United Kingdom
Email: [email protected]

What Personal Data We Collect

We collect and process personal data necessary for providing photography services and operating our business. This includes:

Client Information

  • Contact details (name, email, postal address)
  • Company information for business clients
  • Project requirements and preferences
  • Communication records
  • Financial information for invoicing and payments

Website Visitors

  • Technical data (IP address, browser type, device information)
  • Usage data (pages visited, navigation patterns)
  • Cookie data (subject to your cookie preferences)

Photographic Subjects

  • Images containing identifiable individuals
  • Model release and consent documentation
  • Usage rights and restrictions

Legal Basis for Processing

We process personal data based on one or more of the following legal grounds:

Contractual Necessity

Processing is necessary to deliver services you've commissioned, including:

  • Responding to service inquiries
  • Scheduling and conducting photography sessions
  • Delivering finished photographs
  • Processing payments

Legitimate Interests

We process data for legitimate business purposes that don't override your rights:

  • Maintaining client relationships and project records
  • Improving our services based on usage patterns
  • Protecting against fraud and unauthorised access
  • Operating and securing our website

Legal Obligations

We must process certain data to comply with legal requirements:

  • Financial record-keeping for tax purposes
  • Contract and invoice retention
  • Responding to lawful requests from authorities

Consent

For activities requiring explicit permission:

  • Marketing communications
  • Non-essential cookies
  • Using images of identifiable individuals for promotional purposes

You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Your Data Protection Rights

Under UK GDPR, you have comprehensive rights regarding your personal data. We respect these rights and have procedures in place to facilitate their exercise.

Right to Be Informed

You have the right to clear, transparent information about how we use your data. This document, along with our Privacy Policy, fulfils this obligation.

Right of Access

You can request a copy of the personal data we hold about you. We'll provide this within one month of your request, free of charge. The information will include:

  • What personal data we process
  • Why we're processing it
  • Who has access to it
  • How long we'll keep it
  • Your other rights regarding this data

Right to Rectification

If personal information we hold is inaccurate or incomplete, you can request correction. We'll update our records within one month and notify any third parties we've shared the data with, unless this proves impossible or involves disproportionate effort.

Right to Erasure

Also known as the "right to be forgotten," you can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for its original purpose
  • You withdraw consent (where processing is based on consent)
  • You object to processing, and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required for compliance with legal obligations

This right is not absolute. We may need to retain certain information to comply with legal obligations, establish or defend legal claims, or for other legitimate reasons.

Right to Restrict Processing

You can request that we limit how we use your data in these situations:

  • You contest the accuracy of the data
  • Processing is unlawful, but you don't want the data erased
  • We no longer need the data, but you need it for legal claims
  • You've objected to processing while we verify whether our legitimate grounds override yours

When processing is restricted, we can store the data but not use it without your consent, except for legal claims or protecting others' rights.

Right to Data Portability

For data processed based on consent or contract, and processed by automated means, you can request:

  • A copy of your data in a structured, commonly used, machine-readable format
  • Direct transmission of this data to another controller, where technically feasible

This right applies to data you've provided to us and doesn't affect others' rights or freedoms.

Right to Object

You can object to processing based on legitimate interests or public interest. We'll stop processing unless we demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.

You have an absolute right to object to processing for direct marketing purposes. We'll stop such processing immediately upon receiving your objection.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making processes that would trigger this right.

How to Exercise Your Rights

To exercise any of your data protection rights, contact us using the information provided at the end of this page. Please include:

  • Your full name and contact details
  • Clear description of your request
  • Proof of identity (to protect against fraudulent requests)
  • Any specific information that will help us locate your data

We'll respond within one month of receiving your request. For complex requests, we may extend this by two additional months and will explain why the extension is necessary.

Generally, exercising your rights is free. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, particularly repetitive requests. We may also refuse to act on such requests.

Data Security Measures

We implement appropriate technical and organisational measures to ensure data security commensurate with the risks:

Technical Measures

  • Encrypted data transmission (SSL/TLS)
  • Secure password policies and authentication
  • Regular security updates and patches
  • Firewall and anti-malware protection
  • Secure backup systems
  • Access logging and monitoring

Organisational Measures

  • Staff training on data protection principles
  • Access controls limiting who can view personal data
  • Confidentiality agreements with staff and contractors
  • Regular review of data protection practices
  • Incident response procedures
  • Privacy by design in new systems

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware
  • Document the breach, including facts, effects, and remedial actions
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Take immediate steps to mitigate harm and prevent recurrence

Notifications to individuals will describe the breach in clear language, identify our data protection contact, explain likely consequences, and describe measures taken or proposed to address the breach.

International Data Transfers

We primarily store and process data within the United Kingdom. If we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

  • Adequacy decisions recognising equivalent data protection standards
  • Standard contractual clauses approved by the UK authorities
  • Binding corporate rules for transfers within corporate groups
  • Approved codes of conduct or certification mechanisms

You can request information about specific safeguards for international transfers relevant to your data.

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or to comply with legal obligations. Retention periods vary by data type:

  • Client contracts and financial records: Seven years (legal requirement)
  • Marketing consent: Until withdrawn or legitimate interest ceases
  • Website analytics: Up to 26 months
  • Correspondence: Duration of business relationship plus reasonable period
  • Photographic archives: As specified in contracts or until client requests deletion

We periodically review data we hold and delete information that's no longer necessary. You can request earlier deletion, subject to our legal obligations and legitimate interests.

Third-Party Processors

Some personal data is processed by third-party service providers acting on our behalf. We ensure these processors:

  • Process data only on our documented instructions
  • Maintain appropriate security measures
  • Assist us in responding to data subject requests
  • Delete or return data when services end
  • Provide information demonstrating GDPR compliance

We conduct due diligence before engaging processors and maintain written contracts specifying their obligations.

Children's Data

Our services are not directed at children under 16. If we become aware that we've collected data from a child without appropriate parental consent, we'll delete it promptly.

When photographing minors, we obtain verifiable parental or guardian consent through model releases that clearly explain how images will be used.

Updates to This Information

We review our GDPR compliance regularly and update this page as necessary to reflect changes in our practices or legal requirements. Significant changes will be communicated through prominent website notices or direct contact where appropriate.

Making a Complaint

We're committed to resolving any concerns about how we handle your personal data. If you're unhappy with our response to a request or believe we're processing your data unlawfully, you can lodge a complaint with the supervisory authority:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: brisk-whisper.com

We encourage you to contact us first so we can attempt to resolve your concerns directly.

Contact Us

For any questions about our GDPR compliance or to exercise your data protection rights, please contact:

Data Protection Contact
Brisk Whisper Photography
Unit 12, Warehouse Quarter
45 Hackney Road
London E2 7NX
United Kingdom
Email: [email protected]