In the UK, the GDPR is implemented through the Data Protection Act 2018. This act controls how personal information is used by organisations, businesses, or the government. Everyone responsible for using personal data must follow strict rules called ‘data protection principles’.

The Information Commissioner's Office (ICO) is responsible for enforcing these regulations in the UK. Visit https://www.gov.uk/data-protection to find out more.

Data Protection & Privacy

De Villiers Photography (“we”, “us”, “our”) is committed to protecting the privacy, confidentiality, and security of all personal data entrusted to us. This Data Protection section explains how we collect, use, store, transfer, and safeguard personal data in accordance with:

• The UK General Data Protection Regulation (UK GDPR)

• The EU General Data Protection Regulation (EU GDPR) (where applicable to EU‑based customers)

• The Data Protection Act 2018

• The EU Data Act (Regulation (EU) 2023/2854), where applicable to data access, portability, and fair contractual terms

• Other relevant international data‑governance frameworks

We act as the Data Controller for all personal data provided to us. This means we determine the purposes and lawful bases for processing your personal data.

1. Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity and contact information (name, address, email, phone number)

• Booking and event details

• Payment information (processed securely via third‑party providers)

• Images and video captured during the commissioned Services

• Communications (email, website forms, phone calls, social media messages)

• Preferences, feedback, testimonials, and survey responses

• Technical data (IP address, browser type, device information) when interacting with our website

We only collect personal data that is necessary for the performance of our Services or where we have a lawful basis to do so.

2. Lawful Bases for Processing

We process personal data under the following lawful bases:

• Contractual necessity – to provide photography services, manage bookings, deliver images, and fulfil our contractual obligations.

• Legal obligation – to comply with tax, accounting, and regulatory requirements.

• Legitimate interests – to improve our services, manage our business operations, prevent fraud, and maintain security.

• Consent – for marketing communications or specific uses of images. Consent may be withdrawn at any time.

3. How We Use Personal Data

We use personal data for the following purposes:

• To manage bookings, deliver Services, and fulfil contractual obligations

• To communicate with you regarding your booking, updates, or changes

• To process payments and issue invoices

• To deliver digital or printed products

• To respond to enquiries, complaints, or feedback

• To improve our services, website, and customer experience

• To comply with legal, regulatory, or law‑enforcement requirements

• To protect our rights, including enforcing our Terms & Conditions

We do not sell or rent personal data to any third party.

4. International Customers & Cross‑Border Data Transfers

For international customers, personal data may be transferred to and processed within the United Kingdom.

Where data is transferred outside the UK or EU (for example, when using international cloud storage or communication tools), we ensure that:

• The destination country has an adequacy decision, or

• Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), International Data Transfer Agreements (IDTAs), or equivalent protections.

We only work with third‑party providers who demonstrate compliance with UK GDPR, EU GDPR, or equivalent international standards.

5. EU Data Act Compliance (Where Applicable)

Although the EU Data Act primarily governs access to and use of non‑personal, machine‑generated data, we recognise that some international customers may be located within the EU or may rely on EU‑based digital services.

Where applicable, we ensure that:

• Customers have fair, transparent, and non‑discriminatory access to any data they are entitled to receive.

• Contractual terms relating to data access, portability, and use are fair and balanced, in line with the EU Data Act’s requirements.

• Any data‑sharing arrangements with third‑party providers are governed by clear contractual safeguards.

• Customers retain the right to request access to their data in a structured, commonly used, machine‑readable format.

• We do not impose unfair contractual restrictions on data portability or access rights.

This section applies only where the EU Data Act is relevant and does not override UK GDPR or EU GDPR obligations.

6. Data Sharing with Third Parties

We may share personal data with trusted third‑party service providers, including:

• Payment processors

• Cloud storage and file‑delivery platforms

• Printing laboratories

• Web hosting and email service providers

• IT and security providers

• Subcontracted photographers or assistants (where required)

All third parties are required to:

• Use personal data only for the purposes specified

• Maintain appropriate security measures

• Comply with applicable data protection laws

We do not permit third parties to use your data for their own marketing.

7. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encrypted storage and secure servers

• Access controls and authentication

• Secure file‑sharing systems

• Regular data backups

• Device security and malware protection

• Staff confidentiality obligations

Despite these measures, no system is completely secure, and we cannot guarantee absolute security.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

• Contract fulfilment

• Legal and accounting obligations

• Resolving disputes

• Maintaining business records

Images may be retained for longer periods where required for portfolio, marketing, or archival purposes, subject to consent where applicable.

Data may be anonymised and used for statistical or research purposes indefinitely.

9. Your Rights

Depending on your location (UK, EU, or internationally), you may have the following rights:

• Right of access – to request a copy of your personal data

• Right to rectification – to correct inaccurate or incomplete data

• Right to erasure – to request deletion of your data in certain circumstances

• Right to restrict processing – to limit how your data is used

• Right to data portability – to receive your data in a structured, machine‑readable format

• Right to object – including to direct marketing

• Right to withdraw consent – where processing is based on consent

• Right to lodge a complaint – with the ICO (UK) or your local supervisory authority (EU/International)

Requests may require proof of identity to protect your data.

10. Updates to This Policy

We may update this Data Protection section from time to time to reflect changes in law, our services, or our practices. Significant changes will be communicated via our website or email.

11. Contact

If you have any questions, concerns, or wish to exercise your rights, please contact us using the email address provided on our website.