Your privacy matters to us
We are Stanley Baker Studios Ltd. We provide photographic services to schools and photographers. Stanley Baker Studios Ltd is a private limited company registered in England & Wales 01800855. Our registered address is SBS House, Tyler Street, Parkeston, Harwich, Essex CO12 4SB. Our Data Protection Act registration number is Z7406931.
We understand our moral and legal responsibilities to respect your privacy and take care of any personal data we hold about you, in compliance with the data protection legislation.
We are the data controller for the personal data we process about our enquirers, customer representatives, subscribers, customer leads, job applicants, employees, contractors and, website users and customers purchasing our photographs. We are also the data controller of the photographs we take, including photographs taken in school, as we are the copyright holder for these images. This privacy notice tells you what to expect when we handle personal data as a data controller.
We sometimes process limited personal data as a ‘data processor’. This is when we handle personal data on behalf of our customers, for example schools or other companies or photographers using our printing or photograph storage platforms. In these cases, we process this information upon our customers’ written instructions under a contract (a Data Processing Agreement). Any collection or use of that information is limited to the purpose of providing the service to our customers. We process very limited information as a data processor for example student names and their school reference number. Our Data Processing Agreement is available on our website: Data Processing Agreement
If you have any queries about this privacy notice or the services we offer, please email us at firstname.lastname@example.org. If you would like to contact our Data Protection Officer, please email email@example.com
How we get information
Most of the personal data we process is provided to us directly by you, for example when you:
- make an enquiry by email, phone or through our website
- purchase our photographs or videos
- sign up to our newsletters, blogs and promotions
- work with us as an employee or contractor
- use our website
We may also collect personal information about you indirectly, for example through:
How we handle personal data
- our customers
- public sources (e.g. websites and professional networking sites)
- recruitment agencies
- referees to support your job application (at your request)
We collect the name and contact details of our school customer contacts and information about the service they have requested. We need this information so we can fulfil our contract with them or take steps at the request of the customer prior to entering into a contract with them. We keep this information for 7 years to satisfy any contractual, legal, accounting, or reporting obligations.
When a parent registers an account with us through our website to purchase a digital photograph of their child, we collect their name, mobile phone number and payment details. If a physical print is purchased, we also collect their address to send the photograph to. We need this information so we can fulfil our contract with them, or take steps at the request of the customer prior to entering into a contract with them. We keep this information for 7 years to satisfy any contractual, legal, accounting, or reporting obligations. Accounts that have been inactive for 12 months will be deleted and the photographs will be retained for up to 7 years to enable parents and students to purchase these at the end of their school career.
Pupils and students
When we take photographs of pupils or students in schools, the school usually provides us with the name and school reference number of each pupil or student we are photographing, so we can match the photograph to the correct child and issue a QR code for them. The QR code enables the parent or school to access that child’s images through our secure portal.
The QR code assigned stores the school name, and/or year name and in most cases the child’s first and last name (where these are individual portrait photographs), along with their photograph. Group photograph QR codes include the school name and year name (or group name) and on occasion they include the student’s first and last name. This is so we can link students with their group and individual photographs. We need this information so we can fulfil our contract with our customer (the school or the child’s parent), or to take steps at the request of the customer, prior to entering into a contract with them. We keep the QR code personal data for 7 years to satisfy any contractual, legal, accounting, or reporting obligations.
We collect the name and contact details of our customer contacts and information about the service they have purchased. We need this information so we can fulfil our contract with them or take steps at the request of the customer prior to entering into a contract with them. We keep this information for 7 years to satisfy any contractual, legal, accounting, or reporting obligations.
When someone contacts us asking about our services through our website, by email or over the telephone, we collect their name, contact details and the nature of their enquiry. We collect this information for our legitimate interests as a company to be able to respond to their enquiry and keep a record of our communications with them. We keep this information for 2 years from the date of the last communication.
We collect the name and contact details of people who want to subscribe to our newsletters, resources, blogs and promotions. We collect this information with the consent of the individual when they opt-in to receive these communications. If a person unsubscribes, we remove them from our mailing list but retain their contact details in a separate database. We need to retain this information indefinitely for our legitimate interests to ensure we do not contact them again in the future. We keep subscriber data until they unsubscribe or if the email address becomes invalid or if we believe they no longer want to receive communications from us.
We sometimes collect the name, job role and work contact details of employees working for potential customers, who we think would be interested in receiving information about our company’s services; this is known as ‘B2B’ or ‘business to business’ marketing. This information is only collected from public sources, such as company websites or where the employee has published their name, work profile and contact details on a networking site for professionals, (such as LinkedIn) and therefore would have a reasonable expectation that companies like us, may contact them to make introductions and market their services.
We collect this information to pursue our legitimate interests, to be able to promote and market our services to potential new customers. Contact leads can opt-out from receiving communications from us at any time, by emailing firstname.lastname@example.org.
We keep this information for 2 years from the date of our last communication, where the communication does not lead to a sale. If the communication does lead to a sale, this information will be retained in line with our retention period for customers.
We receive Curriculum Vitae (CVs) and application forms from people who apply for jobs with us. This will often include the individual’s name, contact details, experience, education and a personal statement to support their application. We collect this information with the person’s consent and for our legitimate interests to be able to assess the suitability of the individual and where relevant, invite them to interview.
Applicants who are not successful, prior to or after interview, their CV and application will be destroyed after 6 months, unless the applicant gives us their permission to retain this information for longer. Information relating to successful applicants, will be retained on their employee file and held for the duration of their employment, plus a further 7 years after their contract has ended.
We collect information about our employees, such as their name, date of birth, contact details, recruitment information, evidence of their right to work, outcome of their criminal record check (DBS) (where required), contract, bank details and other employment information. We collect this information to enable us to fulfil our contract with the employee or to take steps at the request of the employee, prior to entering into a contract with them. For example, to ensure they are paid; make pension and tax contributions on their behalf and provide employee services and benefits to them. We also collect this information to pursue our legitimate interests, for example to recruit employees, maintain a register of our employees (past and present) for insurance, legal, tax and pension purposes and to assist in the prevention or detection of crime (including fraud).
We sometimes collect ‘special category data’ about our employees, for example information about their disabilities, health and dietary needs or religious beliefs. Our lawful bases to process this type of data falls under contract and employment. We need this information so we can make reasonable adjustments in the workplace and carry out our legal obligations under employment (such as the Equality Act and Health and Safety Act), as well as safeguarding the welfare of the employee and where relevant colleagues. We keep employee files for 7 years after the contract has ended.
We collect information about our contractors, such as their name, contact details, experience, outcome of their criminal record check (DBS) (where required), service contract and bank details. We collect this information for our legitimate interests, to be able to assess the suitability of the individual and to enable us to fulfil our contract with them or to take steps at their request, prior to entering into a contract with them. We keep contractor files for 7 years after their contract has ended.
When you visit our website, simple Cookies are used to help you navigate around our site and tell us how well our website is performing. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting this website and will not associate any data gathered with any personally identifying information from any source.
Use of school photographs for marketing and promotion
As we are the copyright holder of the photographs we take, we are permitted by law to use these photographs for our own business purposes, such as promotion. This means we may use carefully selected photographs to showcase our excellent products to other schools when we visit them. We rely on legitimate interests as our lawful basis to do this.
If we use individual photographs on our website or in printed marketing literature, we either obtain consent from the parent or student before using those photographs or use Artificial Intelligence (AI) generated images (these are not real people). Where we use group photographs, we digitally remove all identifying data, such as school logos, school names and students’ names (we may use fictitious names).
Consent can be withdrawn at any time by emailing email@example.com. There may be some restrictions to withdrawing consent, where, for example, we have already printed the photograph in marketing literature. In this scenario, we would discontinue the use of that photograph after our marketing campaign has finished. We will never publish names alongside photographs.
Who we share information with
We do not share your data with other organisations, unless it is necessary for our legitimate purposes, legal, contractual, regulatory or law enforcement purposes. Where we use data processors to help us manage or store our data (cloud storage providers); promote our services (advertising/marketing companies) or help us deliver our services (contractors or specialist photograph editing companies), we have Data Processing Agreements or confidentiality agreements in place to protect any personal data they may have access to on our behalf.
Our data processors only act on our instructions and are carefully selected to ensure they have robust security measures in place and comply with the UK GDPR when processing personal data.
Where we process your personal data as a data processor for our customers, your personal data may be accessible to that customer, to enable us to fulfil our contract with them.
There may be times when we need to disclose personal data to other data controllers, for example:
- In the event that we sell any business or assets
- If we or substantially all of our assets (including data) are acquired by a third party
- If we are under a duty to disclose or share your personal data to comply with any legal obligation, or in order to enforce or apply our terms and conditions and other agreements
- To protect the rights, property, or safety of our company, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
We will never sell your personal data or share it in a way you would not reasonably expect.
Where we store data
Our company only stores personal data on encrypted servers within the United Kingdom (UK), the EEA or other countries who have received ‘adequacy status’ by the UK.
How we protect your information
We take our security responsibilities very seriously and have put in place robust measures to protect our and our customers’ personal data from accidental or unlawful access, disclosure, loss, damage or destruction.
The following are examples of how we achieve this:
Your data protection rights
- Access to our data and systems is on a strict need to know basis and we ensure our employees and contractors are under an obligation of confidentiality.
- Employees receive mandatory data protection training and sign up to our Data Protection Policy.
- We have robust procedures in place to manage and report personal data security breaches, in the unlikely event of a breach occurring.
- Where we use companies who process personal data on our behalf to help us provide our services to our customers, we carry out due diligence checks on these companies and have written contracts in place (Data Processing Agreements) which require them to handle personal data in line with the UK data protection laws.
- We use up to date virus and malware protection software and we back up data regularly.
- Data is held on encrypted servers in the UK, the EEA or other countries who have received ‘adequacy status’ by the UK.
You have the following rights under the data protection laws:
- The right to be told how your personal data is being processed.
- The right of access to your personal data.
- The right to rectify personal data held about you which you think is inaccurate or incomplete.
- The right to erase your personal data in certain circumstances.
- The right to restrict the processing of your information in certain circumstances.
- The right to object to your information being used for direct marketing purposes.
- The right to ask that your personal data is transferred from one organisation to another or given to you, in certain circumstances.
- The right to complain to the organisation processing your personal data if you are not happy with the way it has been handled, and to escalate this to the Information Commissioner’s Office if you remain dissatisfied.
To exercise these rights, please contact us by emailing firstname.lastname@example.org
. You are not usually required to pay a fee and can expect to receive a response within one calendar month. Further information about your data protection rights can be found on the Information Commissioner’s Office website at www.ico.org
Changes to this privacy notice
We may need to update this privacy notice periodically, so we recommend that you revisit this information from time to time. This version was last updated on 3rd July 2023.