UK GDPR Compliance

We understand our moral and legal responsibilities to respect your privacy and take care of any personal data we hold about you, in compliance with the data protection legislation (the UK General Data Protection Regulation (the UK GDPR) and the Data Protection Act 2018).

About us
We are CloudPics Ltd. We provide portrait and group photography services to schools and other photographers.

Company details
CloudPics Ltd is a private limited company registered in England & Wales 15013556. Our registered address is SBS House, Tyler Street, Parkeston, Harwich, Essex CO12 4SB.

Data Protection Officer
We take our data protection responsibilities seriously and have a dedicated Data Protection Officer to oversee the handling of personal data. If you have any queries regarding our data protection compliance, you can contact our Data Protection Officer at

Privacy policy
To find out how we handle personal data, please visit our Privacy Policy

We undertake annual GDPR compliance audits and Payment Card Industry (PCI) security audits to ensure our policies, procedures and practices remain up to date and compliant with legislation and best practice.

Policies and procedures
We have a comprehensive Data Protection Policy, Personal Data Breach Handling Procedure and Data Protection Request Handling Procedure. These are communicated to our employees during their on-boarding and when revisions are made. All employees (and where relevant contractors) must read and abide by our policies and procedures.

Training and awareness
Our employees and associates receive mandatory data protection and security awareness training during their on-boarding and refresher training annually. Training is supported by regular awareness raising communications and team discussions.

Information Security
We have appropriate security in place to protect personal data against unauthorised or accidental access, disclosure, loss, destruction or damage. Here are some examples of the technical security measures we have in place to protect our network, equipment and the data they contain:
  • We have firewalls, up to date anti-virus and anti-malware software in place.

  • We ensure security patches are applied promptly.

  • We restrict access to systems on a ‘need to know’ basis.

  • We segregate customer data.

  • We enforce strong password policies.

  • We use encrypted platforms to send, receive and store confidential data securely. This includes our photographs.

  • We regularly back up our data.

  • We use Multi-Factor Authentication to access our data securely.

  • We regularly test our company’s disaster recovery and business continuity plans to ensure data can be restored in a timely manner in the unlikely event of an incident.

  • Personal data is stored on encrypted platforms within the UK or countries covered by UK ‘Adequacy Regulations’.

Here are some examples of the organisational security measures we have in place to protect personal data:
  • Our recruitment procedures include Disclosure and Barring Service (DBS) vetting checks and confidentiality clauses are built into our employment contracts.

  • Data protection and security awareness training is provided to employees during their on-boarding and annually thereafter.

  • Policies and guidance are in place relating to the handling of personal data. These are communicated to employees and other individuals as necessary, including policy revisions.

  • Data protection and security compliance is a regular agenda item in meetings.

  • Cross cutting shredders are used in our offices to dispose of paperwork securely.

  • Appropriate equipment, policies and guidance are provided to employees handling personal data.

  • Buildings and offices are secured when not in use and protected by CCTV.

  • Paper documents and files containing personal data are stored securely and access restricted.

  • Security procedures are in place for visitors coming into the offices.

Personal data breach handling procedures
We have procedures in place to identify, report, investigate and manage personal data security (in the unlikely event they may occur). All incidents and suspected personal data breaches are reported to our Data Protection Officer. If a security incident occurs which involves our customers’ personal data, they will be notified without undue delay.

Data Processors
We sometimes use other companies or contractors to process personal data on our behalf, for example cloud storage providers, advertising and marketing companies, payment processing, printers, freelance photographers and photograph editing companies. We carry out due diligence checks on these ‘data processors’ to assess they have appropriate technical and organisational measures that are sufficient to implement the requirements of the data protection legislation and to protect the rights of data subjects and our customers. We have written contracts in place with our data processors which contain data protection clauses.
Where we act as a data processor for our customers’ personal data, our processing is covered by a Data Processing Agreement. This is available on our website: Data Processing Agreement

Data subjects’ rights
Our employees and associates are provided with training and guidance on how to recognise requests from data subjects exercising their data protection rights. We have a comprehensive Data Protection Request Handling Procedure and recording procedures to manage and monitor requests. If a request is received from one of our customers’ data subjects, we will ask the data subject to make their request directly to our customer or seek their consent to forward their request to the customer.