Privacy Policy
Last updated November 27, 2024
Background
(A) Emma Wiss, Kinnekullevägen 24, Bromma, emma@emmawiss.com ("we", "our", "ours", "us") provides wedding photography services (the "Service") on and off the website https://emmawiss.com/ (the "Website").
(B) We are the data controller responsible for processing personal data in connection with providing the Service. In this Privacy Policy (this "Privacy Policy"), we describe how we collect, use, share, delete, or otherwise process your personal data in connection with providing the Service, and how you can exercise your rights under applicable data protection laws.
(C) We recommend that you periodically visit our Website to review the latest version of this Privacy Policy. If we update the Privacy Policy, we will also update the "Last Updated" date at the top of this Privacy Policy.
1. Collection of Personal Data
1.1 First, we would like to briefly explain some key terms that are used throughout this Privacy Policy.
(a) "Personal data" means any information relating to an identified or identifiable natural person (referred to as a "data subject"), where an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier. This could include a name, personal identification number, phone number, or email address.
(b) "Processing" of personal data means performing any operation on your personal data. This could involve collecting, using, structuring, storing, or deleting your personal data.
(c) "GDPR" refers to the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and Council, dated April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC.
1.2 We will collect certain personal data about you if you ask us questions via the Website or other communication channels, or if you request that we provide the Service to you. We typically collect personal data directly from you, but if necessary, we may also collect data from third parties or publicly available sources.
1.3 We will also collect certain personal data about the couple getting married from the person ordering the Service, as well as data about other wedding participants captured in photographs during the execution of the Service.
2. Categories of Personal Data
We collect the following categories of personal data about you:
Category of Personal Data:
Examples of Personal Data:
Name and contact information
Name, phone number, address, email address
Photograph
Photos of the wedding couple and other participants/guests
Identification number
Personal identity number
Bank details
Account number and related information
Communication
Correspondence between you and us related to the Service or other inquiries
Other information
Other data you choose to provide, such as in free text fields, or data we may request depending on the circumstances
3. Purpose and Legal Basis for Processing Personal Data
We process your personal data for various purposes, on different legal grounds, and store this data for varying periods, depending on the processing activity, and always in accordance with applicable data protection laws, primarily GDPR. Below, we explain these purposes and legal grounds for each category of personal data we may process. We may also process your personal data for additional purposes, such as complying with orders or decisions from authorities, which we describe in more detail in section 5.
Legal Basis
Purpose
Category of Personal Data
Name and contact information, Identification number, Communication, Other information
Receiving and processing your Service request
Necessary step to enter into a contract with you (Art. 6.1(b) GDPR)
Photograph
Photography of wedding couple and participants
Necessary for contract performance (Art. 6.1(b) GDPR)
Photograph
Marketing of photos on the Website and social media
Consent (Art. 6.1(a) GDPR)
Name and contact information, Identification number (if a contract exists), Communication, Other information
Providing customer support for our Service
Necessary for contract performance (Art. 6.1(b) GDPR) or legitimate interest (Art. 6.1(f) GDPR)
Name and contact information, Bank details
Refund payments
Necessary for contract performance (Art. 6.1(b) GDPR)
4. Sharing of Your Personal Data
4.1 We will share your personal data with third parties when necessary. We will only share your personal data for a specific purpose and solely with third parties that can provide sufficient guarantees to protect your personal data in accordance with GDPR. Below, you can read more about the categories of third parties with whom we may share your personal data.
4.2 We may share your personal data with public authorities when it is necessary to comply with applicable laws, regulations, or official decisions. We may also share your personal data when we, in good faith, believe it is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a public authority's request. The legal basis for this is typically compliance with a legal obligation under Article 6.1(c) GDPR but may also be our or others' legitimate interest under Article 6.1(f) GDPR if we determine that this interest outweighs your interest in not having your personal data processed for this purpose.
4.3 We may also share your personal data with service providers that assist us by providing services related to our business and the Service, and therefore process personal data on our behalf. These third parties may include providers of photographic, legal, financial, technical, or IT services. These service providers are only permitted to process your personal data as necessary to provide their services to us and have no independent right to process or share your personal data beyond our instructions. The legal basis is our legitimate interest in using third-party services under Article 6.1(f) GDPR, which we have assessed outweighs your interest in not having your personal data processed for this purpose.
4.4 With your consent, we may publish photos taken during the Service on our Website and social media platforms. We always obtain your consent using a separate form.
5. Transfer of Personal Data Outside the EU/EEA
5.1 Some of our service providers may be located in countries outside the European Union (EU) or the European Economic Area (EEA). If this occurs, we will always ensure that we rely on an appropriate transfer mechanism to ensure your personal data is protected as if it were processed within the EU/EEA. Such mechanisms may include:
(a) Transferring your personal data only to countries that the European Commission has determined provide an adequate level of protection, meaning a level of protection comparable to GDPR.
(b) Entering into Standard Contractual Clauses (SCCs) as decided by the European Commission with the recipient of your personal data, which obligates the recipient to comply with GDPR-level protection.
5.2 Additionally, we may take further measures deemed appropriate and necessary to protect your personal data.
6. Retention Period
6.1 We will retain your personal data as long as necessary to fulfill the purpose for which the data was initially collected. When we no longer need to store your personal data for the purpose, we will either delete or anonymize it.
6.2 Typically, we retain your personal data from the time you order our Service and up to twelve months after the Service has been delivered.
6.3 However, we may need to retain your personal data for a longer period if required by applicable law, court, or administrative decision, or otherwise to defend ourselves against legal claims. If necessary, we will retain your personal data for such a longer period.
7. Security
7.1 We maintain a reasonable and appropriate level of security in our operations, including technical and organizational measures, to ensure that your personal data is protected against loss, destruction, misuse, unauthorized access, and unauthorized disclosure.
7.2 Note, however, that while we strive to maintain a reasonable level of security for personal data, no security system can prevent all potential breaches.
8. Your Rights and How to Exercise Them
8.1 Right of Access
You have the right to request confirmation as to whether we process personal data about you and, if so, obtain a copy of the personal data we process by requesting a "record extract." Note that if we receive a request for access, we may ask you to provide additional information to ensure efficient handling of your request and that the information is provided to the correct person.
8.2 Right to Rectification
You have the right to have inaccurate or incomplete personal data corrected or completed.
8.3 Right to Deletion
You have the right to request the deletion of personal data we process about you, and we are obligated to delete the data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. Note, however, that we are not obligated to delete your personal data if we can demonstrate that the processing is necessary to fulfill a contract with you, comply with a legal obligation, or establish, exercise, or defend legal claims, or if we have another legal basis for retaining the data.
8.4 Right to Restriction
You have the right to request that we restrict our processing of your personal data under certain circumstances, such as if you believe the personal data we process about you is inaccurate or that we no longer need the personal data for the purpose for which it was collected.
8.5 Right to Object
You have the right to object, at any time and for reasons related to your specific situation, to our processing of your personal data if our processing is based, for example, on legitimate interest (following a balancing test).
8.6 Right to Data Portability
If our right to process your personal data is based either on your consent or on fulfilling a contract with you, you have the right, if processing is carried out automatically, to receive a copy of the personal data concerning you that you have provided to us in a structured, commonly used, digital format and to transfer this data to another data controller without hindrance from us. You also have the right to request that this data be transferred directly from us to another data controller if technically feasible.
8.7 Right to Withdraw Consent
If our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time by contacting us. If you withdraw your consent, note that this does not affect the legality of processing conducted based on your consent before its withdrawal.
8.8 Complaints
You have the right to lodge a complaint with the relevant supervisory authority within the EU/EEA if you believe that our processing of your personal data violates applicable data protection laws. In Sweden, the supervisory authority is the Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm.
9. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy from time to time. This is necessary to provide you with accurate and current information about how we process your personal data. The latest version of the Privacy Policy will always be available on our Website.
10. Contact Us
If you have questions about how we process your personal data, this Privacy Policy, or otherwise have feedback on our processing of your personal data, please contact us using the contact details provided in Background (A) above.