GDPR Compliance

Our Commitment

Quick Lily Visual Arts Ltd complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We're committed to protecting your personal data and respecting your privacy rights.

This page explains how we fulfill our GDPR obligations and outlines the rights available to you under data protection legislation.

Data Controller Information

For the purposes of data protection law, Quick Lily Visual Arts Ltd is the data controller responsible for your personal information.

Company Name: Quick Lily Visual Arts Ltd
Registered Office: 42 Clerkenwell Road, London EC1M 5PS, United Kingdom
Company Number: 09847562
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a lawful basis to do so. Our processing activities are founded on these legal grounds:

Performance of Contract

When you commission photography services from us, we need to process your personal information to fulfill that contract. This includes communicating with you, understanding project requirements, delivering services, and handling payment.

Legitimate Interests

We process certain data based on legitimate business interests, such as maintaining client relationships, improving our services, preventing fraud, and ensuring network security. We've assessed these interests against your privacy rights and believe processing is appropriate and necessary.

Consent

For activities like marketing communications or certain cookie usage, we obtain your explicit, freely given consent. You can withdraw this consent at any time without affecting other aspects of our relationship.

Legal Obligations

Some processing is necessary to comply with legal requirements, such as maintaining business records for tax purposes or responding to lawful requests from authorities.

Your Data Protection Rights

The UK GDPR grants you comprehensive rights regarding your personal data. We respect these rights and have established procedures to facilitate their exercise.

Right of Access

You can request confirmation of whether we process your personal data and obtain a copy of that data along with supplementary information about how we use it. We'll provide this free of charge within one month of your request.

Right to Rectification

If personal data we hold is inaccurate or incomplete, you can request corrections. We'll update our records promptly and notify any third parties to whom we've disclosed the information where appropriate.

Right to Erasure

Also known as the "right to be forgotten," this allows you to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected, when you withdraw consent, or when you object to processing.

This right is not absolute. We may need to retain certain information to comply with legal obligations or establish legal claims.

Right to Restrict Processing

You can request that we limit how we use your personal data in specific situations, such as when you contest the accuracy of the data or object to processing. During restriction, we can store the data but not use it without your consent.

Right to Data Portability

Where we process your data based on consent or contract performance using automated means, you can request to receive your personal data in a structured, commonly used, machine-readable format. You can also request that we transmit this data directly to another organization where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. When you object to marketing, we'll cease such communications immediately. For other objections, we'll stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

We don't engage in automated decision-making or profiling that produces legal or similarly significant effects. Should this change, we'll update this notice and ensure appropriate safeguards are in place.

Exercising Your Rights

To exercise any of these rights, send a written request to [email protected]. Please include sufficient information to allow us to identify you and understand your request.

We'll respond within one month, though this may be extended by two additional months for complex requests. We'll inform you of any extension and the reasons for it.

There's no charge for exercising your rights unless your request is clearly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include:

Encryption of data during transmission and storage where appropriate, access controls limiting who can view personal information, regular security assessments and updates, secure backup procedures, and staff training on data protection principles.

Despite our efforts, no method of transmission or storage is completely secure. We cannot guarantee absolute security but continuously work to improve our protective measures.

Data Breach Procedures

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we'll notify the Information Commissioner's Office within 72 hours of becoming aware of the breach.

If the breach is likely to result in a high risk to you, we'll also notify you directly without undue delay, providing information about the nature of the breach and the measures we're taking.

International Transfers

We primarily process personal data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by data protection authorities.

Any such transfers will comply with UK GDPR requirements and protect your data to the same standard as within the UK.

Data Protection by Design and Default

We incorporate data protection principles into our operations from the outset. This means considering privacy implications when developing new services or processes and implementing appropriate technical and organizational measures.

By default, we process only the personal data necessary for each specific purpose, retain it only as long as needed, and limit access to those who require it.

Photography Specific Considerations

Our photography work involves unique data protection considerations. When photographing individuals, we obtain appropriate consents for image capture and usage. These consents specify how images will be used and for what duration.

If photographs include identifiable individuals who aren't direct clients, we ensure proper releases are obtained. We store photographic work securely and respect any restrictions placed on image usage.

Third Party Processors

We engage service providers who process personal data on our behalf, such as cloud storage providers and email services. These processors are carefully selected and bound by data processing agreements that comply with UK GDPR requirements.

Processors are permitted to process personal data only according to our documented instructions and must implement appropriate security measures.

Retention Periods

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law. Specific retention periods vary:

Client project data is typically retained for seven years to comply with business record requirements. General inquiry data is kept for two years. Website analytics data is usually retained for 12 months. Marketing consent records are kept until consent is withdrawn.

After retention periods expire, we securely delete or anonymize personal data.

Contact and Complaints

For questions about our data protection practices or to exercise your rights, contact us at [email protected].

If you're unsatisfied with how we've handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk

Policy Updates

We review this GDPR compliance information regularly and update it as needed to reflect changes in our practices or legal requirements. Check the "Last updated" date to see when the most recent revision occurred.