PRIVACY POLICY
1. Purpose and Scope of this Privacy Policy
This privacy policy (hereinafter: the “Policy”) aims to define the lawful use of the records/databases maintained by … (hereinafter: the “Data Controller”), to ensure the enforcement of constitutional principles of data protection, the right to informational self-determination, and data security requirements, and to enable individuals to exercise control over their personal data within the framework of applicable law, to become informed about the conditions of data processing, and to prevent unauthorized access, alteration, or disclosure of personal data. Furthermore, this Policy serves to inform the data subjects about the Data Controller’s data processing practices.
…. (hereinafter: the “Data Controller”) carries out photography and dog photography activities, which require processing personal data to provide the service. In operating the website https://thedogphoto.com (hereinafter: the “Website”), the Data Controller processes the personal data of individuals ordering photography services through the Website (hereinafter collectively: the “Data Subjects”).
2. Contact Details of the Data Controller
Name:
Registered office:
Company registration number:
Tax number:
Representative: Tímea Ilyés
Email: contact@thedogphoto.com
3. Important Concepts and Definitions
UK GDPR (UK General Data Protection Regulation): The United Kingdom’s data protection legislation, which governs the processing of personal data and is part of the Data Protection Act 2018.
Data Controller: A natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data, either alone or jointly with others.
Data Processing: Any operation or set of operations performed on personal data or datasets, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.
Personal Data: Any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Third Party: A natural or legal person, public authority, agency, or any other body that is not the Data Subject, Data Controller, Data Processor, or a person authorized to process personal data under the direct authority of the Data Controller or Data Processor.
Consent of the Data Subject: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them, either by a statement or by a clear affirmative action.
Restriction of Processing: Marking stored personal data to limit their future processing.
Erasure: Rendering data irretrievable such that it cannot be restored.
Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
4. Categories of Personal Data Processed
4.1. Different personal data may be requested from users depending on the services they wish to access, in accordance with the principle of data minimisation. This Privacy Notice applies exclusively to the processing of personal data of natural persons visiting the Website, as personal data are only meaningful in relation to natural persons.
4.2. Information that is collected anonymously, without the possibility of identifying a natural person, does not constitute personal data. Likewise, demographic data collected in a manner that is not linked to identifiable individuals do not constitute personal data, as no connection to a natural person can be established.
4.3. Specifically, the categories of personal data processed include:
For those completing the order form for photography packages provided on https://thedogphoto.com:
Full name
Email address
Telephone number
5. Legal Basis for Data Processing
The legal basis for processing personal data is the voluntary consent of the data subject. This means that by submitting their personal data through the Website or other means, the data subject gives explicit permission for the Service Provider to process their personal data for the purposes described in this Privacy Notice.
6. Purpose of Data Processing
The personal data collected are processed for the purposes of:
– contacting and communicating with the data subject,
– providing information or responding to requests for information,
– personalised service to the data subject,
– sending price quotations and agreements at the request of the data subject, which may serve as the basis for a potential future order.
7. Retention Period of Personal Data
7.1. Enquiries
Emails and their contents received through initial contact with the Service Provider (including the sender’s name, email address, date, and any attachments) are retained for 1 year from the date of last contact and then securely deleted.
7.2. Quote Requests and Clients
If a contract is concluded, personal data are retained for the duration of the contract and, according to accounting regulations, for 8 years following the completion of the service. If no contract is concluded and the intended purpose is not achieved, personal data are retained for 1 year after the quote expires.
7.3. Photography Participants
For individuals participating in photography sessions, the Service Provider retains personal data in the form of photographs generated during the service. Retouched photographs are kept for 1 year after the session, and raw images are kept for 3 months. The legal basis for this processing is the legitimate interest of the data subject to access their photographs in case of loss, accidental deletion, or damage, upon request.
8. Scope of Access, Data Sharing, and Data Processing
Personal data collected from Data Subjects may be accessed by the Service Provider’s internal staff, who are obligated not to publish or share the information. Third parties may only receive the data for processing purposes if explicitly requested by the Data Subject and directed to a recipient specified by the Data Subject. The Service Provider may engage a data processor to perform tasks arising in the course of its activities.
Data Processor and Recipients:
Service Provider / Hosting Provider: Rackhost Zrt.
Address: 6722 Szeged, Tisza Lajos körút 41, Hungary
Tax Number: 25333572-2-06
Company Number: 06-10-000489
Category: Web hosting provider
9. Technical Data – Log Files
For the provision of services, the system automatically logs the following technical data:
The user’s computer dynamic IP address
The type of browser and operating system used by the user, depending on the computer settings
The user’s activities on the website
These data are used primarily for technical purposes, such as analyzing and verifying the secure operation of servers. This is an automatic IT security process, recorded in server logs without requiring consent from the Data Subject. These technical data cannot identify an individual user and are not combined with other personal data held by the Data Controller. Log data are stored for 6 months from the date of the visit.
The website may be accessed by anyone without providing any personal data beyond this automatic technical data collection.
Providing personal data is entirely voluntary; Data Subjects may freely decide whether to provide the requested personal information. If consent is given, the Data Controller processes the data in accordance with applicable UK law and within the limits of the Data Subject’s consent.
10. Rights of Data Subjects and Remedies
10.1. Rights of the Data Subject
The Data Subject may request from the Data Controller:
a) information regarding the processing of their personal data;
b) rectification of their personal data;
c) erasure or restriction of personal data, except where mandatory processing is required by law;
d) the transfer of personal data to another data controller.
10.2. Provision of Information
Upon request, the Data Controller shall provide the Data Subject, within 30 days of receiving the request, with written information regarding:
the personal data processed by the Data Controller or on behalf of the Data Controller by an appointed data processor;
the source of the data;
the purpose, legal basis, and duration of processing;
the name and address of the data processor;
all activities related to data processing;
in case of data transfer, the legal basis and the recipient of the data.
Providing this information is free of charge for requests made once per calendar year regarding the same area of processing. For additional requests, the Data Controller may charge a reasonable fee, which must be reimbursed if the data were unlawfully processed or if the request leads to rectification of the data.
The Data Controller maintains a record of data transfers to verify their lawfulness and to inform the Data Subject. This record includes: the time of transfer, the legal basis, the recipient, the scope of transferred personal data, and other information required by applicable law.
The Data Controller also maintains a data breach log to monitor incidents and inform affected Data Subjects. This log includes: the personal data involved, the number and scope of affected Data Subjects, the timing and circumstances of the breach, its impact, measures taken to mitigate the incident, and other relevant information required by law.
10.3. Correction and Deletion
The Data Subject may request correction or deletion of inaccurate personal data at any time. Requests must be submitted in writing, either by post or email. The Data Controller shall delete the requested data within 3 working days of receipt. Deleted data cannot be restored. Deletion does not apply to data that must be retained by law (e.g., accounting or tax regulations), which the Data Controller will retain for the legally required period.
10.4. Restriction and Portability
The Data Subject may also request restriction of processing or the transfer of their data to another data controller. The Data Controller will restrict personal data if requested by the Data Subject or if deletion would harm the Data Subject’s legitimate interests. Restricted data may only be processed as long as the purpose justifying the restriction persists.
The Data Controller shall inform the Data Subject and any recipients of previously shared data of any rectification, restriction, or erasure. Notification may be omitted if it does not adversely affect the Data Subject’s rights.
If the Data Controller refuses a request for rectification, restriction, or deletion, it shall provide written justification of the factual and legal grounds within 30 days of receiving the request.
10.5. Withdrawal of Consent and Objection
The Data Subject may at any time:
request the transfer of their personal data to another controller, if processing is based on a contract or consent and handled automatically;
withdraw previously given consent for data processing.
The Data Subject may also object to the processing of their personal data. The Data Controller will review the objection promptly, but no later than 15 days from submission, and provide written notification of the decision. If a request for correction, deletion, or restriction is refused, the Data Controller will inform the Data Subject of the right to judicial remedies and the option to contact the Information Commissioner’s Office (ICO).
10.6. Data Security Measures
The Data Controller ensures privacy by design and by default, applying appropriate technical and organizational measures to:
strictly control access to personal data;
grant access only to individuals who require it to perform their tasks, limiting access to the minimum necessary data;
carefully select data processors and ensure data security through data processing agreements;
maintain the integrity, authenticity, and protection of personal data.
The Data Controller applies reasonable physical, technical, and organizational safeguards to protect personal data from accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, use, or access. In the event of unauthorized access or misuse of personal data, the Data Controller shall promptly notify affected Data Subjects.
Where personal data must be transferred, the Data Controller ensures appropriate protection of the transmitted data, e.g., through encryption. The Data Controller is fully responsible for personal data processed by third parties.
Regular backups are maintained to protect personal data from accidental destruction or loss.
11. Right to Complain
If you believe that the processing of your personal data violates UK data protection law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Lodging a complaint with the ICO does not affect your right to seek other legal remedies under UK law.
12. Contact Details
For all matters regarding your personal data, including requests for access, correction, deletion, restriction, portability, withdrawal of consent, or any questions about this privacy notice, please contact the Data Controller:
Data Controller:
Representative: Tímea Ilyés
Address:
Email: contact@thedogphoto.com
Phone: +44
Please clearly specify your request so that we can respond efficiently. We will respond within the legal timeframes set out in UK GDPR, normally within 1 month.
