Data is managed and or hosted for John Coveney Photography by five suppliers, who have their own GDPR compliant data and privacy policies - see the Data Service Providers section on page 7. Access to my data service provider accounts is via unique passwords and, where available, two factor authentication.
John Coveney has been photographing people place and wildlife in Dublin, all over Ireland and occasionally abroad since 2001 when he got his first digital camera. He has been running John Coveney Photography since 2013. He got his initial licentiate from the Irish Photography Federation in 2011 and he earned a high level Associateship qualification from them in 2017. In 2014, he won their National Nature photographic competition. His landscape and fashion work has been published in the national media.
If you make direct contact with me, or if I approach you, you may provide me with information such as your name, email and phone number. Additional job specific information could include your postal address and details of an event, such as where it is on, who will be there, and what kind photographs you want. In the case of an event with a religious or legal component such as a Weddings or First Communions, information on your religious or sexual orientation may be implicitly or explicitly provided.
Any direct contacts to John Coveney Photography in person, by phone, text, WhatsApp, or using Instagram, Facebook, Twitter or Flickr messaging are secured and managed by those applications on my phone and on my laptop and desktop. These accounts and devices are uniquely password protected and, where available, by touch ID and two-factor authentication. Email contacts are principally managed in my office using Microsoft Outlook on my desktop – they are also forwarded to a gmail address for mobile access – see page 10. Occasionally notes about these contacts are made in my paper diary which is stored in my locked office or is in my possession when I’m away from the office.
See Data Security on page 5.
Clients may pay online for photography services and products provided by John Coveney Photography. They may do this by bank transfer, with PayPal, or with debit or credit cards. The security and privacy of online payments you make to John Coveney Photography from your bank or PayPal account are covered by those organizations’ data protection and privacy policies. Credit & debit card payments to John Coveney Photography are handled by Zenfolio and I only receive details of who made the payment, what it is for, and how much is involved. John Coveney Photography does not receive any credit or debit card details from customers. Here is how Zenfolio handles credit card payments on behalf of its photographer clients as detailed to me by Zenfolio Support: - [except for the addition of text in square brackets to enhance readability as well as active links]
[Zenfolio] take[s] security of transactions extremely seriously. We process tens of thousands of orders and all of the information collected during the check-out is processed via our secured servers. These servers are certified by VeriSign, a market leader in online security.
Because we must process transactions in a secure environment, we are also PCI compliant, which a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
If you become aware of any errors in your personal data, please contact me in writing by email at [email protected] or by post to John Coveney Photography, 56 Castle Farm, Shankill, Dublin D18 AD83. I will take all reasonable steps to correct errors notified to me once I have contacted you to verify the correction that you submitted.
I take all reasonable steps to responsibly manage information about clients, suppliers, contacts and website visitors to protect this information from loss, misuse, unauthorized access, unauthorized disclosure, alteration, or its destruction except as specified by a contact or client in accordance with law. However, no computer or internet system is 100% reliable, secure or error. In particular, email sent to or from John Coveney Photography is not secure. Additionally, it is your responsibility to secure any passwords linked to any account on my site that you may have, and also any passwords or direct links that you may have to private galleries on my site.
All John Coveney Photography’s business and image data is principally managed on a password protected desktop in my home office with its own separate locked and alarmed entrance. Only I and my co-director (my wife – who is not operationally involved in the business) has access to this office. On-site backups are to local hard drives held in this office and in a locked cabinet in my house. Secure offsite backups are done using Backblaze - see page 10. When I am working away from base, I use a password protected laptop and password protected mobile hard drives. On return to base, client and contact imagery and information is copied to the desktop system and, once backed up, it is deleted from the laptop and the mobile drives.
Most of my client imagery is taken with a high specification digital camera (DSLR) with removable dual memory cards that allows duplication of the imagery as it is being captured. As a shoot is completed or as memory cards fill up, they are removed from my cameras and stored on my person until I can copy the images to my desktop or laptop – normally within a few hours. Memory cards with client and contact images are never left in unattended in cameras or cars. Once the imagery is backed up, it is deleted from the cameras’ memory cards. Client & contact imagery is catalogued and processed using Adobe’s Lightroom and is typically tagged with the clients’ and contacts’ names and the location of the shoot. Client & contact imagery may be further manipulated with Photoshop. Client and contact image data is backed up locally to secured hard drives. Offsite backups to “the cloud” are done using Backblaze - see page 10
No client or contact imagery is ever sold to third parties without explicit written client/contact permission and, where relevant e.g. for advertising purposes, a model release is obtained. With client/contact permission, I may share high quality client image data on my website and my social media accounts to promote my business. I may also for submit them for photographic qualifications and awards. Clients/contacts may withdraw permission for the display of images on my website, my blog and on my social media accounts. This should be done in writing by emailing me at [email protected] . However, if a client or contacts gives permission for an image to be used in connection with a submission for an award or qualification and if that submission is successful and goes into to the public domain, the image cannot be removed from public circulation. Additionally clients and contacts should to be aware that if they consent to me publicly displaying their photograph(s) on my website, blog or social media accounts, it may pass irretrievably into the public domain beyond my control even if I take it down from my website and accounts.
I may photograph adult guests of clients or other third parties at their events and may wish to display these images on my website, my blog or my social media accounts to legitimately promote my business. It may not be possible (nor is it required by GDPR) for me to seek consent of guests to take their photographs. In order to balance the rights of guests who appear in my public photographs I apply the following three tests:
If in spite of the application of these tests, I am approached by the person in question and asked to take down the photograph I will do so, except in the case of award winning images in the public domain as detailed above in section 4.1.1.
Any images of children on my website are only published with the explicit written permission of their parents or guardians or relevant organizations such as schools or sports clubs. Full names of children are not published, nor are any other contact details.
In preparing this section on the photography at client events of adult and child guests, and also third parties, I read and took account of the only guidance on photography from the Irish Data Protection Commission (DPC) here. This mainly deals with photography at school events and by implication at other events involving children. More generally, however, the DPC advocates a “common sense” approach and states unambiguously that that GDPR does not prevent anyone taking photographs of people at public events providing they are not “harassing” them. However, GDPR arises when considering what to do with these photographs especially if they are put on public display. It then advises that that same GDPR considerations that apply to other personal data are also applied to the storage and display of these photographs – especially consent, compliance by me with withdrawal of consent requests, and legitimate interest.
“We live in a world where every owner of a smartphone is a potential photographer. The GDPR does not provide an exact roadmap on when it’s permissible to take and publish photographs in the context of school events. However, a balanced, common sense approach will go a long way towards ensuring that individuals’ rights are respected, while also ensuring that data protection doesn’t become an obstacle to capturing and celebrating significant school events.”
Data is managed, transmitted, processed and hosted for John Coveney Photography by five data service providers as detailed below. These five suppliers have their own GDPR compliant service, data and privacy policies. Access to my data service provider accounts is via unique passwords and, where available, two factor authentication.
Details of how Zenfolio handles client and contact account information is in the Client & Supplier subsection of the Information Collection section on page 3.
Information of how Zenfolio secures payment Information is covered in the section on Privacy and Security of Payment Methods and Details on page 4.
Zenfolio anonymously track visitors to galleries, including private galleries as per the following text in italics [with slight modifications in square brackets to enhance readability] – as received from Zenfolio Support on 6 May 2019.
While [Zenfolio] offer[s] some basic visitor tracking numbers for your galleries, the visitor counter will only show a visit to [a JCP] site or a gallery if a Photo page or a Quick Shop page is viewed. If someone simply clicks into [a JCP] gallery, but does not click a photo within the gallery, their visit will not count in the visitor counter. Same if they visit [the JCP] homepage but do not go into any galleries to view an image.
Only unique visitors are recorded, so if a visitor views the same photos from the same computer, the system will not record the additional visits because the visitor's IP address is what constitutes a new visitor. Depending on the ISP (Internet Service Provider) settings, multiple computers can be on the same IP address which can skew the visitor count.
What are cookies?
A cookie is a simple text file that is stored on your computer or mobile device by a website's server. Only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It contains some anonymous information such as a unique identifier, the site name, and random digits and numbers. Cookies allow a website to remember things like your preferences, or what's in your shopping basket.
For more details about cookies and details of how to delete and disable cookies you can visit www.aboutcookies.org. For more information, including how to turn off cookies, see below.
The cookies set by our website fall into the following categories.
Strictly Necessary [Cookies]
These cookies are essential to ensure that you can navigate and use all features of the site. This includes browsing pages, remembering your preferences, saving favorite images, secure registration, placing orders, and other essential features. These cookies don't gather any information about you that could be used for marketing or remembering where you've been on the Internet.
These cookies allow the website to deliver a better browsing experience. They collect information about your website usage, such as the pages you visit, or if you experience any errors. These cookies don't collect any information that could identify you - all the information collected is anonymous and is only used to help us improve how the website works.
Functionality cookies are used to provide services, or to remember settings to improve your visit. We use them for remembering settings you've applied, showing you when you're logged in to the website, saving your favorite images, and so on.
Targeting cookies are linked to services provided by third parties. These include 'Like' buttons and 'Share' buttons used by services like Facebook, Google+, Twitter, Pinterest, and others. The third party provides these services in return for recognising that you have visited our website.
Additionally, the website may use Google Analytics or StatCounter services to analyse the use of this website. These services generate statistical and other information about website use by means of cookies, which are stored on users' computers. The information generated relating to our website is used to create reports about the use of the website. You can view privacy policies for Google Analytics or StatCounter on their respective websites.
There is no advertising on my website from anyone other than John Coveney Photography and I do not use any of the information gathered on website in connection with advertising.
The domain name for the John Coveney Photography website at www.johncoveney.ie is provided by Digital Media Internet Services – an Irish company trading as LetsHost.ie. However, the website itself and all its contents are located on Zenfolio’s servers (see section 5.1) and so are not visible to Letshost.ie. Therefore, LetsHost.ie does not process my website data.
Emails to and from John Coveney Photography email addresses at [email protected] and [email protected] pass through LetsHost.ie’s email servers but they are automatically deleted from those servers once I download them to Microsoft Outlook on my desktop. LetsHost’s terms of service are here and their GDPR compliance statement is here.
All of John Coveney Photography’s business and image data is encrypted before transfer and securely backed up remotely by Backblaze – an American company. Their security policy can be viewed here. All data transfers between JCP and Backblaze are encrypted and done securely via HTTPS. Backblaze is unable to access this encrypted JCP data. I can only access remotely backed up JCP data via a unique password that is also subject to two-factor authentication. In the event of the total loss of part of all of my on-site data and backups, Backblaze will restore data over the internet (up to 500GB) or on shipped encrypted drives for larger amounts of data. This approach to offsite backups and restores “in the cloud” complies with the guidance of the Data Protection Commission.