Colorfoto understands that your privacy is important to you and that you care about how staff and student data is used. We respect and value the privacy of all of our customers and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the provisions of the General Data Protection Regulation (GDPR).
Information about us:

– Colorfoto Limited, registered in England under company number 3135828.
– Registered address: Image House, East Tyndall Street, Cardiff CF24 5EF
– Main trading address: As above.
– VAT number: 666 8191 92.
– Data Protection Officer: Christine Whitby
– ICO Registration No. ZA084981
– Email address:
– Telephone number: 02920 448210.
– Postal Address: As above

2. What Does This Notice Cover?

This Privacy Information explains how we use staff and student data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to staff and student data.

3. What is Personal Data?

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. The personal data that we use is set out in Part 5, below.

4. What Are My Rights?

Under the GDPR, you have the following rights, which we will always work to uphold:
– The right to be informed about our collection and use of staff and student data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 12.
– The right to access the personal data we hold about your staff and students. Part 11 will tell you how to do this.
– The right to have staff and student data rectified if any of staff or student data held by us is inaccurate or incomplete. Please contact us using the details in Part 12 to find out more.
– The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of staff and student data that we have. Please contact us using the details in Part 12 to find out more.
– The right to restrict (i.e. prevent) the processing of staff and student data.
– The right to object to us using staff and student data for a particular purpose or purposes.
– The right to data portability. This means that you can ask us for a copy of staff and student data held by us to re-use with another service or business in many cases.
– Rights relating to automated decision-making and profiling. We do not use staff and student data in this way.
– Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
– If you have any cause for complaint about our use of staff and student data, you have the right to lodge a complaint with the Information Commissioner’s Office.

5. What Personal Data Do You Collect?

We process the personal data that we receive from you as part of our business relationship. In addition, we process, to the extent necessary for the provision of our services, personal data that we receive from other sources (e.g. the facilities in which we photograph, such as schools and day-care centres) in a legally permissible way (e.g. to execute orders, to fulfil contracts or on the basis of a consent granted by you). We are also permitted to process personal data which we may have obtained from publicly available sources (e.g. debtor directories, press, media) in a legally permissible way. Relevant personal data are personal details and contact details (e.g. name, class, year group, admission number, job title, address, telephone number and email address). In addition, this may also include order data or data from the fulfilment of our contractual obligations, such as advertising and sales data, documentation data, data on your use of our tele-media offerings, as well as other data comparable with the aforementioned categories.

6. How Do You Use My Personal Data?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) for the following purposes:

To fulfil contractual obligations (Art. 6 (1) letter. b GDPR)

The processing of personal data is carried out for the provision of the photographic services and the associated sale of captured images and their electronic transmission or production on photo products and delivery to customers, and in particular also to carry out our contracts or pre-contractual measures with you, as well as the execution of your orders. The purposes of data processing are primarily obligations arising from the sales contract in which you enter with us by placing an order and can include, among other things, reminders of important events.

– In the context of the balancing of interests (Art. 6 (1) letter f GDPR)

If necessary, we process your data beyond the actual fulfilment of the contract in order to protect our own legitimate interests or those of third parties. For: advertising or market and opinion research, insofar as you have not objected to the use of your data; the enforcement of legal claims and defence in legal disputes; ensuring IT security; prevention and investigation of criminal offences; measures for business management and further development of services and products.

We also process personal data when you contact us through our contact screen. We process any data you include in the screen to process and respond to your inquiry or request. As soon as your inquiry or request has been solved, we delete your data.

Should we be engaged in events where our photographic services have been used to take pictures, we process the personal data obtained there on the basis of the justified interest to fulfil the order given to us and to offer it for purchase. If this is the case, we shall refer to the photographs of the persons present during the event, as well as to a right of objection. Please note that an objection only takes effect in the future. All processing carried out until then remains unaffected.

On the basis of your consent (Art. 6 (1) letter a GDPR)

If you have given us consent to the processing of personal data for certain purposes (e.g. publication or use of images), the legality of such processing is based on your consent. You may revoke your consent at any time with effect for the future. Please note that the revocation only takes effect in the future. Processing carried out before the revocation remains unaffected.

Pursuant to legal requirements (Art. 6 (1) letter c GDPR) or in the public interest (Art. 6 (1) letter e GDPR) We also process personal data on the basis of legal requirements. For example, we store invoice data (name, address) on the basis of existing legislation, such as the retention obligations.

7. How Long Will You Keep My Personal Data?

Where necessary, we process and store your personal data to the extent necessary to comply with our contractual obligations. In addition, we are subject to various retention and documentation obligations. The time limits for storage and documentation can be one to six years.

8. How and Where Do You Store or Transfer My Personal Data?

We will only store staff and student data in our own secure data centre in Cardiff, UK. This means that it will be fully compliant with the GDPR.

9. Do You Share My Personal Data?

We will not share any of staff and student data with any third parties for any purposes, subject to one important exception. In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

10. Is there a duty for me to provide data?

In the context of our business relationship, you must provide only the personal data necessary for the establishment, execution and termination of a business relationship or for which we are legally obliged to collect. Without this data, we will usually have to reject the conclusion of the contract or the execution of the order or will no longer be able to execute an existing contract and may have to terminate. Furthermore, it is necessary for us to request additional data for the provision of paid services.

11. How Can I Access My Personal Data?

If you want to know what personal data we have about your staff and students you can ask us for details of that data and for a copy of it (where any such personal data is held). This is known as a “subject access request”. All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 12. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of staff and student data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

12. How Do I Contact You?

To contact us about anything to do with staff and student data and data protection, including to make a subject access request, please use the following details for the attention of Christine Whitby:
– Email address: .
– Telephone number: 02920 448210.
– Postal Address: Image House, East Tyndall Street, Cardiff CF24 5EF

13. Changes to this Privacy Notice

This Privacy Policy was last updated on 9th November 2023. Please check back regularly to keep informed of changes to this Policy.