GDPR Information

Last updated: 8 April 2026

Our Commitment to Data Protection

Bright Pebble operates in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take data protection seriously and have implemented policies, procedures, and technical measures to ensure your personal information remains secure and is processed lawfully.

This page provides specific information about your rights under data protection legislation and how we fulfill our obligations as a data controller.

Data Controller Information

For the purposes of data protection legislation, the data controller is:

Bright Pebble Photography
42 Rivington Street
Shoreditch
London EC2A 3BN
United Kingdom
Email: [email protected]

Your Data Protection Rights Explained

Right of Access

You have the right to obtain confirmation that we are processing your personal data and to receive a copy of that data. This is commonly known as a Subject Access Request (SAR). We will provide this information free of charge within one month of receiving your request.

The information we provide will include: what data we hold, why we process it, who we share it with, how long we retain it, and details of your other rights.

Right to Rectification

If personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected. This applies to factual information rather than opinions. We will make corrections within one month and notify any third parties with whom we have shared the data.

Right to Erasure

Also known as the "right to be forgotten", this allows you to request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

This right is not absolute. We may need to retain certain information for legal compliance, such as financial records required by tax authorities.

Right to Restrict Processing

You can request that we limit how we use your personal data in specific situations:

  • When you contest the accuracy of the data
  • When processing is unlawful but you prefer restriction to erasure
  • When we no longer need the data but you require it for legal claims
  • When you have objected to processing pending verification of our legitimate grounds

Restricted data can be stored but not actively processed without your consent or for specific legal purposes.

Right to Data Portability

Where technically feasible, you can request that we provide your personal data in a structured, commonly used, and machine-readable format. This allows you to move, copy, or transfer data easily between different services. This right applies when processing is based on consent or contract performance and is carried out by automated means.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. When you object to direct marketing, we will stop that processing immediately. For other objections, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant impacts. Bright Pebble does not employ automated decision-making systems that would trigger this right.

How to Exercise Your Rights

To exercise any of the rights described above, please contact us:

  • Email: [email protected] with "Data Protection Request" in the subject line
  • Post: Data Protection Request, Bright Pebble Photography, 42 Rivington Street, London EC2A 3BN

When submitting a request, please provide sufficient information to identify you and specify which right you wish to exercise. We may request additional identification to verify your identity before responding.

We will respond to requests within one month. In complex cases or if we receive multiple requests, this may be extended by two additional months, in which case we will inform you of the delay and the reasons for it.

There is no charge for exercising these rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

Lawful Basis for Processing

We only process personal data when we have a lawful basis to do so. The specific lawful basis depends on the purpose of processing:

Contract

When you engage our photography services, processing your personal data is necessary to fulfill our contractual obligations. This includes project communication, delivery of services, and invoicing.

Consent

For certain activities, such as marketing communications or optional cookies, we rely on your explicit consent. You can withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

Legitimate Interests

We may process data based on legitimate business interests, such as maintaining website security, improving services, and managing business operations. We balance these interests against your rights and only proceed when our interests are not overridden by your fundamental rights and freedoms.

Legal Obligation

Some processing is required to comply with legal obligations, such as maintaining financial records for tax purposes or responding to lawful requests from authorities.

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction, or damage. Our security measures include:

  • Encryption of sensitive data both in transit and at rest
  • Secure authentication and access controls
  • Regular security audits and vulnerability assessments
  • Staff training on data protection and security practices
  • Incident response procedures for data breaches
  • Secure disposal of data when no longer required
  • Contractual requirements for third-party processors

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. If the breach presents a high risk to you, we will also notify you directly without undue delay.

Our breach response procedures include immediate containment measures, assessment of impact, notification to relevant parties, and implementation of additional safeguards to prevent recurrence.

Third-Party Processing

When we engage third-party service providers to process personal data on our behalf, we ensure they comply with data protection requirements through:

  • Written contracts specifying processing instructions and security requirements
  • Assessment of their data protection practices and security measures
  • Ongoing monitoring of compliance with contractual obligations
  • Requirements that they notify us of any data breaches

Third-party processors are not permitted to use your data for their own purposes or to share it with others without our explicit instruction.

International Transfers

We primarily store and process data within the United Kingdom. When data is transferred outside the UK or European Economic Area, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the relevant authorities
  • Adequacy decisions recognising equivalent data protection standards
  • Other legally approved transfer mechanisms

You can request further information about international transfers by contacting us.

Children's Data

Our services are not directed at children under 16. We do not knowingly collect or process personal data of children. If we become aware that we have inadvertently collected such data, we will delete it promptly. Parents or guardians who believe we may have collected their child's information should contact us immediately.

Data Protection Impact Assessments

For processing activities that pose high risks to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs). These assessments help identify and minimise data protection risks. Where appropriate, we consult with the Information Commissioner's Office before commencing high-risk processing.

Complaints and Supervisory Authority

If you are unhappy with how we have handled your personal data or believe we have not complied with data protection legislation, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: bright-pebble.com

We encourage you to contact us first so we can attempt to resolve any concerns directly. However, you have the right to lodge a complaint with the ICO at any time.

Policy Updates

We review our data protection practices regularly and update this information as necessary to reflect changes in legislation, our business practices, or technological developments. Significant changes will be communicated to clients and through website notices. The date at the top of this page indicates when it was last updated.

Further Information

For more detailed information about how we handle personal data, please see our Privacy Policy. If you have specific questions about data protection at Bright Pebble, contact us at [email protected].