Data Protection

Data Protection Regulations

Introduction

Risk Assessment of OrderMyPhotos details compliance of the GDPR (General Data Protection Regulations of the European Union) which far beyond supersedes the Australian privacy act. OrderMyPhotos takes data protection seriously, we have partnered with a software provider that achieves the best score possible in penetration testing.

Our software partner Netlife AS (org nr.983 501 605) are to be considered as a processor and are responsible for processing personal data on behalf of OrderMyPhotos as a controller. Development of the platform is always based on the ‘data protection by design and by default” principle. The controller determines the purposes and means of processing personal data.

The data protection includes the following rights for individuals and you will find information on how the software platform is compliant with these rights below:

the right to be informed;

the right of access;

the right to rectification;

the right to erasure;

the right to restrict processing;

the right to data portability;

the right to object;

and the right not to be subject to automated decision-making including profiling:

The right to be informed

Individuals have the right to be informed about the collection and use of their personal data.

In our privacy policy we inform about the purposes for processing personal data, the retention periods for that personal data, and who it will be shared with.

Our privacy policy is always visual in the Webshop both as short link in the footer and also as a pop-up together with the cookie warning.

The right of access

Individuals have the right to access their personal data and supplementary information.

The right of access allows individuals to be aware of and verify the lawfulness of the processing.

In the users “my account” section in the webshop, the user can easily download a .zip file containing a full copy of all data we hold on them.

The right to rectification

Individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed

The user can at any time get access to – and edit their info in the “my account” section.

The right to erasure/be forgotten

Individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.

The user will at any time get access to the “delete me” feature in the “my account” section in the webshop. If they press this button, their user account will be “frozen” and inactivated. If they regret, they can reactivate their account within 30 days. After 30 days the user account and all data stored on their account will be erased.

The right to restrict processing

Individuals have the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organization uses their data. This is an alternative to requesting the erasure of their data.

In the users “my account” they can select to stop all reminder on both desktop and mobile.

The right to data portability

The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.

The content in the .zip file downloaded with data stored can be sent to the third party. But since we have the copyright to the pictures, we are not committed to transfer these to a new controller.

The right to object

Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.

The user needs to actively opt-in to receive communication related to pure marketing of services when they create an account. In the users “my account” they can select to stop all reminder and preventing us from contact them with sales related communication. Communication related to gallery access, including reminders is not considered as marketing.

Cookie warning

We will display a warning in the webpage footer regarding the use of cookies, where the user needs to accept before continuing to register an account. Users can at any time read more about how the cookies are used on a dedicated system webpage with a direct link in the webshop footer.

Server Security

Information regarding server security provided by our software partner Netlife AS (org. nr 983 501 605).

To get a fully controlled and monitored environment, and to provide the uptime and the reliability necessary for the service, Netlife have built their own dedicated server rack, where all data is stored. They do not use cloud based storage based on third party suppliers like Amazon.

“Netlife store all data in a server center which is located in a designated underground facility in Norway. This facility is also used by other national and international telcos and the national archive of Norway. Access to the facility is secured with 24-hour manned security, biometric access & intruder alarms. We have electronic access control systems with per-rack resolution and camera monitoring. The servers are also protected with automatic non-destructive fire suppression. The data center has currently a Tier 2-3 certification.

A highly over-dimensioned power supply with high-quality redundant UPS systems and diesel generators, will together protect against any data crash due to loss of power.

As an additional protective layer against data loss and disasters, Netlife store an additional copy of all data in a different safe location.”

Privacy Policy

In order to provide the best service for your parents/guardians and pupils, OrderMyPhotos will use the details provided as follows:

When accessing the site and using its services they will see the following information.

We ask for the following contact details so that we can process your orders and ensure that your photographs are secure and only accessed by those with permission.

The data we will processed on your behalf includes:

	Parent or username

	Telephone number

	Parent or user email address

	Invoice address

	Deliver address

	School

	School Year

	Club or Dance studio

	Individual Photos of each child

	Any class photo the child may have been in

	Student ID (if applicable)

	Address
	 

	We do not store credit card details.
	 We only pass your photographic data on to third-party service provider ‘Netlife’ who are contracted to OrderMyPhotos to enable secure encrypted and password access to your Photos. No name or personal details are sent or stored.

The exact type of data that is processed and how it is used is determined by the services you have requested or that have been arranged with you but here is a summary of the use of your data, full details are shown in the more detailed information, further down the page.

We require your name, address, telephone number, email address for secure identification and correspondence during your purchase of photos. Consent for photography to take place, would have been given by the parent to the school, club or dance studio prior to our involvement. All information is held securely to ensure nothing can inflict harm on any personal data we hold.

This information will be used only for legitimate interests

For identification and correspondence during the purchase of photos
To send email communication between yourselves and OrderMyPhotos when you purchase your photographs from the site such as confirmation of orders and payment.
To allow us to send you emails and/or texts to advise you when your gallery is open and ready to use and when offers, such as, batch shipping are due to close*.
To send you details of offers or new products that may be of interest*.
We also process personal data on the basis of legal requirements. For example, we store invoice data
(name, address) on the basis of existing legislation for Legal and Accounting records

* You have the option to opt out of receiving these communications when you create your account.

Disclosure

OrderMyPhotos will not pass on your data to third parties, except ‘Netlife’ who securely hold your photographs so you can view and purchase the items. This is done through a secure encrypted portal with password access to your Photos. We do not pass on any other information without first obtaining your consent. No name or personal details are sent or stored

Who is responsible for data processing and who can I contact?

Data Protection Officer
Under the regulation, OrderMyPhotos has an acting Data Protection Officer and a Senior Data Controller who can be contacted on:
Email: help@ordermyphotos.com.au

ADDITIONAL INFORMATION

Special Categories of Personal Data

	-We do not store ‘special’ personal data

	-We may ask to ‘view’ an item of ‘special’ personal data if being asked to hand over sensitive data and we are required to identify an authorized recipient in order to prevent a data breach

Retention Policy

OrderMyPhotos will process personal data to coincide with Legal and Accounting records. The exception being special case data which, in the event of a client requesting for photographic data to be deleted for security reasons. Accounting data will still be held for 7 years.

Your Rights as a Data Subject

As a data subject, you will have the following rights:

	Right of access – you have the right to request a copy of the information that we hold about you.

	Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.

	Right to be forgotten – you have the ability to remove your data within your account settings.

	Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.

	Right of portability – you have the right to have the data we hold about you transferred to another organization.

	Right to object – you have the right to object to certain types of processing such as direct marketing, this can be easily removed in your account settings.

	Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.

	Right to judicial review: in the event that OrderMyPhotos refuses your request under rights of access, we will provide you with a reason as to why.

	You have the right to complain as outlined in our terms of purchase.

All of the above requests will be forwarded on, should there be a need for a third party involved in the processing of your personal data.

In line with Subject Access Request Procedure and Subject Access Request Form, which we can provide.

Complaints

In the event that you wish to make a complaint about how your personal data is being processed by OrderMyPhotos (or its third parties), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority.

You can report a concern directly with the ACCC, if OrderMyPhotos fails to handle your complaint in an appropriate manner.

Please send any initial complaints to: help@ordermyphotos.com.au

	
	Why do I OrderMyPhotos need to collect and store personal data?
	
	In order for us to provide you any level of service we need to collect personal data for correspondence purposes. We are committed to ensuring that the information we collect, and use is appropriate for this purpose, and does not constitute an invasion of your privacy.
	
	Will OrderMyPhotos share my personal data with anyone else?
	
	We only pass your photographic data on to third-party service provider ‘Netlife’ who are contracted to OrderMyPhotos to enable secure encrypted and password access to your Photos. No name or personal details are sent or stored. When they no longer need to store your data to fulfill this service, they will dispose of the details in line with OrderMyPhotos procedures. If we wish to pass your sensitive personal data onto a third party we will only do so once we have obtained your consent, unless we are legally required to do otherwise.
	
	How will OrderMyPhotos use the personal data it collects about me?
	
	OrderMyPhotos will process (collect, store and use) the information you provide in a manner compatible with Australian Privacy Act and the EU’s General Data Protection Regulation (GDPR). We will endeavor to keep your information accurate and up to date, and not keep it for longer than is necessary. OrderMyPhotos is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.
	
	Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimize the risk of unauthorized access or disclosure.
	
	Can I find out the personal data that the organization holds about me?
	
	Parents and Guardians using the system can go to their account and opt out of the communication for all/selected connected subjects.  If new subjects are added to their account later, communication for these are automatically allowed until it is disabled by the user.
	
	OrderMyPhotos at your request, can confirm what information we hold about you and how it is processed. If OrderMyPhotos does hold personal data about you, you can request the following information:

	-Identity and the contact details of the person or organization that has determined how and why to process your data. 

	-Contact details of the data protection officer, where applicable. 

	-The purpose of the processing as well as the legal basis for processing.

	-If the processing is based on the legitimate interests of OrderMyPhotos a third party, information about those interests.

	-The categories of personal data collected, stored and processed.

	-Recipient(s) or categories of recipients that the data is/will be disclosed to.

	-If we intend to transfer the personal data to a third country or EU international organization, this is done securely through encrypted means.

	
	What forms of ID will I need to provide in order to access this?
	
	OrderMyPhotos accepts any of the following forms of ID when information on your personal data is requested:

	Passport

	Driving license

	Another form for ID which leaves no doubt of the data owner

	
	The processing of personal data is carried out for the provision of the photographic services and the associated sale of captured images and their electronic transmission or production on photo products and delivery to customers, and in particular also to carry out our contracts or pre-contractual measures with you, as well as the execution of your orders. The purposes of data processing are primarily obligations arising from the sales contract in which you enter with us by placing an order in our shop and can include, among other things, reminders of important events. You can find further details about the purpose of data processing in the respective terms and conditions.
	
	If necessary, we process your data beyond the actual fulfillment of the contract in order to protect our own legitimate interests or those of third parties. For: advertising or market and opinion research, insofar as you have not objected to the use of your data; the enforcement of legal claims and defense in legal disputes; ensuring IT security; prevention and investigation of criminal offenses; measures for business management and further development of services and products.
	
	We also process personal data when you contact us through our contact form. We process any data you include in the form. This data is needed to process and respond to your inquiry or request. As soon as your inquiry or request has been solved, we delete your data.
	
	Should we be engaged in events where our photographic services have been used to take pictures, we process the personal data obtained on the basis of the justified interest to fulfill the order given to us and to offer it for purchase. If this is the case, we shall refer to the photographs of the persons present during the event, as well as to a right of objection. Please note that an objection only takes effect in the future. All processing carried out until then remains unaffected.
	
	Consent
	If you have given us consent to process your personal data for certain purposes (e.g. publication or use of images), the legality of such processing is based on your consent. You may revoke your consent at any time with effect for the future. Please note that the revocation only takes effect in the future. Processing carried out before the revocation remains unaffected.
	
	We also process personal data on the basis of legal requirements. For example, we store invoice data (name, address) on the basis of existing legislation, such as the retention obligations.
	
	Is data transmitted to a third country or to an international organization?
	Data transmission to third countries (states outside the European Economic Area, EEA) takes place only to the extent necessary to fulfill our contractual requirements towards you, if required by law, or if you have given us your consent. We will inform you separately about the details if doing so is required by law.
	
	Third-party functions
	Cookies
	
	What are cookies?
	“Cookies” are text files that are stored on your computer that allow an analysis of your use of the website.
	
	What exactly do cookies do?
	The information generated by the cookie about your use of this website is usually transferred to a server and stored there. However, due to the activation of IP anonymisation on some websites, your IP address is sometimes shortened in advance. Depending on the service provider, such an IP address is stored truncated.
	
	What are the transferred data used for?
	On behalf of OrderMyPhotos, the third party will use this information to analyze your use of the website, to compile reports on the activities of the website and to provide further services to the website operator related to the use of the website and the Internet.

How do I turn off cookies?
You can prevent the storage of cookies by changing the corresponding setting in your browser software; however, we would point out that in this case you may not be able to use all the functions of this website to their full extent. Which third-party cookies are used? We use the following third-party cookies on our website:

Google Analytics (For more information, see: https://support.google.com/analytics/answer/6004245?hl=de)
Google Adwords (For more information, see: https://policies.google.com/privacy?hl=de)
Netlife AS PHPSESSID – the PHP session cookie is a general purpose identifier used to maintain user session variables. It is a random generated number and will be deleted when you end your visitor session. It does not contain any user identification information
Google Inc _utma__utmc__utmz_ga_gat_CustomerTracker_gat_NetlifeTracker_gid

Data Transfer

Secure transfer data

Our system will allow you to upload your data directly onto the system, giving you complete control.

Secure Data upload
We understand that many schools are apprehensive about providing us
with a complete subject list, ensuring they comply with data protection
regulations and the fact that email is not considered a “safe” way to
transfer this information.

To overcome this challenge, you can now transfer your data sheet
(spread sheet or csv file) safely by using our encrypted uploader,
embedded in this school admin portal. The system uses end to end
encrypted file transfer to keep your files safe.

Encryption of collected data

The system has an SSL Certificate installed on the server ensuring all
data sent between your client’s computer and the server is encrypted.

TlS 1.1 is blocked to stop the GHOST exploit and other older SSL protocols are blocked for security as well.

Our service provider Netlife AS will regularly review this as
technology develops. This has been standard for years and helps us set
the standards for Australian secure data transfer.