Quick Contact Form
Security Code

Hayley Lehmann Photography

General Data Protection Regulation (2018) Policy for Hayley Lehmann Ltd

Policy prepared by: Hayley Lehmann Date: May 2018


This General Data Protection Regulation 2018 Policy ensures that Hayley Lehmann Ltd complies with the data protection law and follows good practice, protecting the rights of staff, customers and suppliers, is open about how it stores and processes individuals’ data, and protects itself from the risks of a data breach.

HL Schools and Pics Checkout also fall under the Hayley Lehmann Ltd corporate umbrella.

Hayley Lehmann Ltd needs to gather and use certain information about individuals. Individuals can include customers, suppliers, business contacts, employees and other people with whom the organisation has a relationship or may need to contact. This also includes names of students and schoolchildren particularly for the production of data matched images on CD for use in schools and sales of individual, sibling and named group photographs.

This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards — and to comply with the law.

General Data Protection Regulation 2018

The General Data Protection Regulation 2018 describes how organisations — including Hayley Lehmann Ltd — must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

We are Data Protection Registered with Information Commissioners Office (ICO) registration number

Z8135382 and have been registered since 2003.

What Obligations Do Data Controllers Have?

We adhere to the 6 principles relating to Processing of Personal Data set out in the GDPR which require personal data to be:


At Hayley Lehmann Ltd the Data Controller is Hayley Lehmann. She is responsible for ensuring the company minimises any data protection risks, knows its responsibilities and tackles any issues.

Data Protection Risks

This policy helps to protect Hayley Lehmann Ltd from data security risks, including:

  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Unsafe processes. The company will periodically review the processes used in order to identify and minimise the potential impact of risk within its data processing activities.
  • Ensuring accountability. Everyone who works for or with Hayley Lehmann Ltd has some responsibility for ensuring data is collected, stored and handled appropriately.
  • Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

Data Protection Responsibilities

This policy helps to identify data protection responsibilities at Hayley Lehmann Ltd, including:

  • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from staff and anyone else covered by this policy.
  • Dealing with requests from individuals to see the data Hayley Lehmann Ltd holds about them (also called ‘subject access requests’).
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating any third-party services the company is considering using to store or process data. For instance, web hosting services.
  • Approving any data protection statements attached to communications such as emails and letters.
  • Ensuring any marketing initiatives abide by data protection principles.

General Staff Guidelines

The only people able to access data covered by this policy should be those who need it for their work.

Data should not be shared informally. Hayley Lehmann Ltd provides training to all employees to help them understand their responsibilities when handling data.

Employees should keep all data secure, by taking sensible precautions and following the guidelines below. In particular, strong passwords must be used and they should never be shared.

Personal data should not be disclosed to unauthorised people, either within the company or externally.

Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.

Employees should request help from the Data Controller if they are unsure about any aspect of data protection.

Data Storage

These rules describe how and where data should be safely stored.

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason. When not required, the paper or files are kept in a locked office.

Employees make sure paper and printouts are not left where unauthorised people could see them, like on a printer. Data printouts are shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. Data is protected by strong passwords that are changed regularly and never shared between employees. If data is stored on removable media (like a CD or DVD), these are kept locked away securely when not being used. Data is only stored on designated drives and servers. Data is backed up frequently. Data is never saved directly to laptops or other mobile devices like tablets or smart phones. All servers and computers containing data are protected by approved security software and a firewall.

Data use

These rules describe how and what data can be used.

We are sent pupil information from schools in order to supply head and shoulder thumbnails of pupils to be used with sims.net and other schools management information systems. The safety of pupils in schools falls within the realm of public interest when it comes to GDPR.

The sale of school photos to parents does not fall within the realm of public interest. However the schools are required to obtain permission from Data Subjects (parents if the child is under 13, or the pupil if aged 13 or over) to allow us to hold the name, registration group, year and sometimes the date of birth or gender of pupils to perform this function and it is assumed in our contract with the school that they have done this.

The information we receive from schools is digitally transferred to the admin side of our website where it links with the pupils’ images which we have also uploaded by secure means. The headshot information is only requested by and provided by our employees who are DBS checked and provided to the school by secure means. Thereafter the data is used to name proof cards and to fulfil orders to the schools to make the administration of the school photo process efficient for the school and ensure parents get their orders.

We maintain a customer relationship database with details of customers: schools, photographers who use our software services, and persons contracting other photographic services, voice recordings and artwork from us.

When working with personal data, employees ensure the screens of their computers are always locked when left unattended. Personal data is not shared informally. Data is encrypted before being transferred electronically. Personal data should never be transferred outside of the European Economic Area. Employees should not save copies of personal data to their own computers but always access and update the central copy of any data.

Supplier Agreement / Data Sharing

These rules describe the relationship we have with third party suppliers.

The supplier must only act on our written instructions (unless required by law to act without such instructions).

The supplier must ensure that people processing the data are subject to a duty of confidence.

The supplier must assist us in providing subject access and allowing data subjects to exercise their rights under the GDPR.

The supplier must assist us in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.

The supplier must delete or return all personal data to us as requested at the end of the contract

The supplier must submit to audits and inspections, and tell us immediately if it is asked to do something infringing the GDPR

Nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR

The supplier must take appropriate measures to ensure the security of processing

The supplier must only engage a sub-processor with the prior consent of the data controller and a written contract.


These rules describe the relationship we have with our photographers.

All of our photographers are DBS checked and carry a copy of their up to date certificates.

Once the images have been taken the photographer transfers them directly from the camera cards to our in-house Server.

Administration Team

These rules describe the relationship we have with our administration team.

All of our administration team are DBS checked and work on our Customer Relation Management (CRM) system in-house. This data includes the contact name, school/company name, address, telephone number and email address.

Data is stored on password protected computers within a locked office within an alarmed building.

Data is stored for varying lengths of time depending on the terms of the contract but never longer than deemed necessary. Paper copies, where held, are kept in line with standard accounting procedures to assist in dealing with any queries that may arise at a later date. Any printouts are shredded when no longer required.

All of the images are produced internally and then packed by our own internal packing department within the same building.

We also have external CCTV.

Online Orders

For online photograph orders Hayley Lehmann Ltd uses a bespoke cloud-based system called Pics Checkout which was developed in-house. All parts of the system software are owned by Hayley Lehmann Ltd. Every image is stored securely on a Virtual Private Network and our online orders can only be accessed with a unique username and password.

Hayley Lehmann Ltd’s online orders website has a DigiCert security certificate and card payments are provided by Stripe who deal with the complete process of handling the card payments. This means that we do not process payment information and do not store it ourselves. The payment is transacted through Secure Server Software, which encrypts all of the information so that it can’t be intercepted.

Subject access requests

All individuals who are the subject of personal data held by Hayley Lehmann Ltd are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request. Subject access requests from individuals should be made by email, addressed to the Data Controller at Hayley@hayleylehmann.co.uk. A response will be provided within 28 days.

The Data Controller will always verify the identity of anyone making a subject access request before handing over any information.

Disclosing data for other reasons

In certain circumstances, the General Data Protection Regulation 2018 allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Hayley Lehmann Ltd will disclose the requested data. However, the Data Controller will ensure the request is legitimate.

About Us | Services | Styles | Merchandise | Proof Cards | Packs | FAQ | Case Studies | Contact Us | Sitemap

Printing is disabled on the Hayley Lehmann website. If you wish to order copies of any of our prints then please contact us.

Telephone: 020 8447 5706

Hayley Lehmann Ltd
The Den
2 Dingle Close
Barnet, Herts