Data Protection Policy

AGAMI Photo Agency Data Protection Policy
Last updated: May 2018

AGAMI Photo Agency (AGAMI)is committed to the principles of the General Data Protection Regulation:
- Personal data must be processed fairly and lawfully
- Personal data must be obtained only for specified and lawful purposes
- Personal data must be adequate, relevant and not excessive
- Personal data must be accurate and kept up-to-date
- Personal data must not be kept for longer than necessary
- Personal data must be processed in accordance with the rights of data subjects
- There must be measures against unlawful or unauthorised processing of
personal data
- There must be adequate protection for personal data transferred outside the
EEA

What personal data do we collect?
This depends on the purpose but is limited to only what is necessary. We need different personal data for employees, clients, website registrants, photographers, partner agencies and subjects of images.

Do we hold sensitive data?
The only sensitive data we hold is bank information, which is stored sec urely and only accessed by relevant staff. We do not retain credit card information after processing a transaction.

For what purpose is data collected?
Again this depends on the category of data subject and is recorded in our full data audit. For clients, personal data is used to fulfil their orders; for mailing list contacts it is used to send relevant newsletters no more than weekly and to
send a calendar to some contacts annually and to make occasional telephone calls about relevant services we can provide; for photographers we use personal data to pay them their sales commission and to communicate about our
picture needs and sales trends; for web users personal data is used in order to fulfil orders and to enable users to use the site successfully; for subjects of images we keep personal data to maintain editorial accuracy and to confirm the
presence of model releases; for staff we use personal data for contact and payment of salary and to main accurate records on areas such as sickness and performance.

How is data stored?
Most of our data is stored digitally in a variety of secure databases. In some cases we have hard copy records, for instance in the case of contracts, model releases and invoices.




Is data shared internally or externally?
All data is shared internally with those staff who have a legitimate reason to access it. The only data shared externally is financial information (e.g. invoices, bank statements) to our tax administor and image and model release information with clients and subagents who require it to license specific images.

How do we respond to data subject requests?
Each department is aware of the need to respond punctually to data subject requests and knows how to extract and communicate the relevant information.

What procedures are in place to correct, suppress or erase personal data?
All staff are aware of the need to correct personal data and to delete it if the data subject requests this. All email marketing includes a simple unsubscribe process.

What procedures are in place to keep personal data accurate and up-to-date?
All staff are aware of the importance of accuracy of personal data and maintain their areas of data on a daily basis. In addition, we have a periodic audit of our main contacts database to ensure that it is checked annually and that we
delete any data records and website accounts which have had no activity for a significant length of time.

How do we keep data secure?
All data is kept securely with password protection on digital records and hard copy records being kept in a locked office and sensitive data in locked cabinets, with digital files accessible only to authorised staff.

How long do we keep data?
We retain personal data only as long as it remains relevant, unless there is a statutory reason (as with invoices) to keep it longer. Mailing list entries and website accounts are deleted or disabled after 3 years if not used.

Archiving and deletion
Generally personal data is deleted if requested by the subject or if we cannot verify its accuracy. In some cases, such as images and financial records, we have to archive information as we may need to access it in the case of client enquiries
about data accuracy. Archived information is stored separately and in the case of requests for deletion, we keep a record of such requests with the minimum information necessary in our Data Protection File.

What happens if there is a data breach?
We have put measures in place to minimise the risk of a data breach, but in the event of such a data breach, we are aware of our responsibilities to notify the breach to the ICO and to affected data subjects, and we will act promptly to
reduce the impact it would have on the rights of data subjects and to ensure that any necessary improvements to our data storage and handling procedures are made.

Maintaining data protection law knowledge
All AGAMI Photo Agency staff have been well read into and informed about in the basic principles of data protection law and in the way in which this affects their department and activities. And will continue to do so.

Enquiries and contacts
Please address any enquiries to our Data Protection Officer Roy de Haas via roy.de.haas@agami.nl. He works closely with IT Manager Marc Guyt
and Office Manager Wil Leurs on data protection matters.