This document explains how Picento Automated Photography Systems Limited, collects, handles and uses your personal data when you use our services and accessing your images on our website or Picento apps. It tells you how we use it responsibly, and how we keep it safe and secure.
There are a few things that we have to tell you to comply with data protection legislation (the UK GDPR and Data Protection Act 2018, and the EU GDPR).
Who Are We?
We are Picento Automated Photography Systems Limited (‘Picento’) a privately owned company registered in England. We provide automated photography services to major Attractions and Theme Parks and have a website and app that allows you to collect the photographs from the attractions or parks that you visit and keep them in one place.
We have to tell you who the ‘Controller’ is, so that is Picento. We are not required to have a specific Data Protection Officer but we do have support and training for data protection. You can contact us at firstname.lastname@example.org
What data we need
We collect, store and use a small amount of personal data and information that you provide to us including your name, email addresses and, importantly, a photographic image of you that you upload to help us with facial recognition.
We use the uploaded image in our software that technically uses landmark facial points for facial recognition. Because we use facial recognition, this is called Biometric data (Special Category or Sensitive Data. When we match your image to any photographs taken at Attractions or Theme Parks, we will store the matched photographs. If you are interested in how the facial recognition works, we have provided more information at the end of this Privacy Notice.
If you subscribe to our marketing or mailing lists, we will collect and use your name, email address and preferences. We will also collect this data from you when you enter any competitions.
We collect information from the payment system for any app purchases.
How we get the data and information, and why we have it.
Most of the data and information we process about you is provided by you for one of the following reasons:
• You purchase products or services.
• You register for an account on the app.
• You subscribe to our mailing lists and/or marketing.
• You enter a competition.
• You register for promotional offers.
• You contact us to make an enquiry.
We will process photographs taken of you at Attractions and Theme Parks and link these to your account.
We use this personal data and information solely to provide and maintain the service to you. Some information from marketing or mailing list contacts is used to help us improve the quality of the service which is important for continuing improvements of your experience using the app or website.
Why we need it – out legal or lawful bases.
Data Protection legislation and GDPR in particular, requires us to identify a legal basis to process your personal data. We have identified the following that apply to personal data and your use of our services or products.
• Where you provide general personal data or information to purchase a service or register an account, this is with your CONSENT.
• For your uploaded photograph this is with your EXPLICIT CONSENT.
• By purchasing the app, you enter into a CONTRACT with us and we publish the Terms and Conditions on our website and the app.
• Where you have subscribed to our mailing list or marketing, or you enter a competition, the legal basis will be CONSENT. You are able to withdraw or remove your consent at any time by contacting us at email@example.com .
• We have a LEGAL OBLIGATION to collect certain information such as payment details as we have to comply with financial regulations and legislation e.g. HMRC for tax purposes.
Finally, to enable us to operate and administer our business, and to ensure that we can business plan effectively, we have a LEGITIMATE INTEREST in processing some personal information. This helps us to remain accountable to you.
How we store your data.
Keeping your personal data safe and secure, and building your trust when using the service is important to us and we have policies and procedures to do this. We implement all appropriate and reasonable technical and organisational measures to protect your personal data and prevent unauthorised access or disclosure.
For example, we use a world-renowned cloud-based storage service that has very high levels of security and confidentiality. This is based in the EU (Ireland) so we have undertaken all necessary checks and ensure that we have a contract in place.
Any devices that we use are protected and all software including antivirus/firewall is kept up to date.
For added assurance, we have contracts in place for any external service providers such as our accountant, who may have access to name and address for the purpose of preparing accounts.
We do not.
We do not allow any other third parties to have access to your personal data unless we are required to share your data with them by law or we are ordered to do so by a Court.
We do not sell, rent or trade your personal data.
We do not knowingly transfer your personal data to third countries outside of the EEA.
Although we do use your images to for facial recognition to make an automated decision on matching images, this does not have a significant impact on you or your data and is not an automated decision as defined in the data protection legislation. We do not use your data for profiling purposes.
How long we keep it.
We have a retention schedule which details how long we keep data for.
In general we will keep it for a period that is required by law, for example financial records or HMRC records will be kept for 6 years, contracts will be kept for 6 years after the end date of the contract. We may keep personal data for longer if have consented to us keeping it or you have asked us to keep it.
When we no longer need to keep your personal data, or you chose to delete your account, we will then dispose of this by secure and permanent deletion (electronic records).
What are your rights?
You have a number of rights relating to the processing of your personal data. Importantly, this Privacy Notice meets the first right – the right to be informed.
You can ask to see the personal data that we hold about you (known as a Subject Access Request), or even as us to correct it or have it deleted (known as the right to erasure or to be forgotten). There are other rights such as restricting processing, data portability, objecting to processing, or tights linked to automated decision making.
You are not required to pay any fee for exercising your rights or making a request. If you do wish to do this, we usually have one month to respond to you. Please contact us at firstname.lastname@example.org.
Where you have provided personal data with consent, you can withdraw this consent at any time. You can do this by clicking the ‘opt out’ link in any emails we send to you, or by sending an email to email@example.com with the subject “withdraw consent” if you wish to do this. We must tell you that when you opt-out for us to use your data for your account, we will not be able to continue to provide this service to you.
More information on your rights can be found on the Information Commissioner’s website at www.ico.org.uk .
If you wish to raise a complaint on how we have handled your personal data, you can contact us and we will investigate the matter as we would like the opportunity to resolve this with you.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone 0303 123 1113 (local rate) or via their website at www.ico.org.uk.
Additional Information: Facial Recognition.
Facial recognition is the process of detecting a face within an image or video and extracting relevant face attributes to create face landmark points for each detected face. Face landmarks are a set of salient points, usually located on the corners, tips or mid points of key facial components such as the eyes, nose, and mouth. Recognition detects a face and returns a set of 128 different face landmarks which creates a unique numerical identifier, your face landmarks are then identifiable as a line of code. Once your Face Recognition is enrolled in the app you can enjoy an easier and a fast contactless delivery of your images to your device.
The photo taken by the app or uploaded for Face Recognition is used to convert your face into a unique numerical identifier for means of facial recognition. The unique numerical identifier value is stored securely and linked to your customer account, you can delete your face for Face Recognition at any time to withdraw from the service, plus you can contact the data controller at firstname.lastname@example.org for your account and all data/images to be deleted.
Date published: December 2021 Version: 2.0