We’ll tell you:
- why we are able to process your information
- what purpose we are processing it for
- whether you have to provide it to us
- how long we store it for
- whether there are other recipients of your personal information
- whether we intend to transfer it to another country, and
- whether we do automated decision-making or profiling.
Controller’s contact details
Heather Shirin Neff is the controller for the personal information we process, unless otherwise stated.
There are many ways you can contact us, including by phone, email, and post. Contact us here.
Our postal address:
Heather Shirin Fine Art
Mills River NC 28759
How do we get information?
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- You have made an information request to us.
- You wish to attend, or have attended, an event.
- You subscribe to our e-newsletter.
- You responded to a blog post on our website.
We also receive personal information indirectly, in the following scenarios:
- We have contacted you about a complaint you have made through a link on our website.
- Your personal information is contained in reports of breaches of data protection law (‘breach reports’) given to us by organizations.
- From other regulators or law enforcement bodies.
- An employee or representative of ours gives your contact details as an emergency contact or a reference for your project.
If it is not disproportionate or prejudical, we’ll contact you to let you know we are processing your personal information.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can read more about this right here.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organization to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.
If we are processing your information for criminal law enforcement purposes, your rights are slightly different. Please see the relevant section of the notice.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
Please contact us at firstname.lastname@example.org if you wish to make a request, or contact our helpline on 0303 123 1113.
Request a service adjustment
As a public authority and a provider of services to the public, we have a legal duty to comply with the Equality Act (2010).
This means we need to make service adjustments for anyone with a disability who contacts us in any capacity, to eliminate any barriers to accessing our services. Our legal basis for processing this information is article 6(1)(c) of the GDPR as we have a legal obligation to provide this. Our processing of special category data, such as health information you give us, will be based on article 9(2)(a), which means we need your consent.
We’ll create a record of your adjustment requirements. These will give your name, contact details and type of adjustment required, along with a brief description of why it is required. Relevant staff can access this to ensure they are communicating with you in the required way.
How long we keep it
Information: Google Analytics Reports (Retained by Owner Indefinitely)
Information: Email newsletter subscription data (Retained until subscriber unsubscribes, at which time data is deleted)
Information: Cookies to enable website to run (Retained until or site visitor chooses to opt out using site permission box upon each site visit)
Information: Customer name, email, phone, address if provided (Retained for 5 years and then deleted)
Information: Contracts/Agreements (Adobe Sign PDF Retained for duration of project, then kept for 5 years and or deleted)
Information: Project hard copies (Retained for duration of project, then shredded and destroyed)
What are your rights?
As we need your consent to process your special category data you have a right to withdraw your consent at any time.
For more information on your rights, please see ‘Your rights as an individual’.
Sharing your information
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organization apart from us. They will hold it securely and retain it for the period we instruct.
In some circumstances we are legally obliged to share information. For example under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.
Your right of access
You have the right to find out if an organization is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a ‘subject access request.’
How to access your data
You can make a subject access request to find out what data is held and how it is used. You may make a subject access request before exercising your other information rights.
You can make a subject access request verbally or in writing. If you make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence. It will also provide clear evidence of your actions.
To exercise your right of access, follow these steps:
- Identify where to send your request.
- Think about what personal data you want to access.
- Make your request directly to the organization.
- State clearly what you want.
You might not want all the personal data that the organization holds about you. It may respond more quickly if you explain this and identify the specific data you want.
When making a subject access request, include the following information:
- Your name and contact details.
- Any information used by the organization to identify or distinguish you from other people with the same name (account numbers etc).
- Any details or relevant dates that will help it identify what you want.
For example, you may want to ask for:
- your personnel file
- emails between ‘person A’ and ‘person B’ (say from 1 June 2018 to 1 Sept 2018)
- CCTV camera data situated at ‘location E’ on, say, 23 May 2017 from 11am to 5pm records detailing the transfer of your data to a third party.
[Your full address]
[Name and address of the organization]
Dear Sir or Madam,
Subject access request
[Your full name and address and any other details to help identify you and the data you want.]
Please supply the data about me that I am entitled to under data protection law relating to: [give specific details of the data you want, for example:
[• my personnel file
• emails between ‘person A’ and ‘person B’ (from 1 June 2017 to 1 Sept 2017)
• my medical records (between 2014 and 2017) held by ‘Dr C’ at ‘hospital D’
• CCTV camera situated at (‘location E’) on 23 May 2017 between 11am
• copies of statements (between 2013 and 2017) held in account
If you need any more data from me, or a fee, please let me know as soon as possible. It may be helpful for you to know that data protection law requires you to respond to a request for data within one calendar month.
If you do not normally deal with these requests, please pass this letter to your DataProtection Officer, or relevant staff member. If you need advice on dealing with this request, the Owner can assist you. Its website is
cheerfulwor.com or it can be contacted on 888-899-9218.
- Keep a copy of your request.
- Keep any proof of postage or delivery.
When to re-submit a request
You can ask an organization for access more than once. However, it may be able to refuse access if your request is, as the law says, ‘manifestly unfounded or excessive.’
If you are thinking of resubmitting a request, you should think about whether:
- it is likely that your data has changed since your last request
- enough time has passed for it to be reasonable to request an update on how your data is being used, or
- the organization has changed its activities or processes recently.
What to do if you disagree with the outcome or remain dissatisfied
If you are unhappy with how the organization has handled your request, you should first make a complaint to it.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise that you seek independent legal advice first.
What organizations should do
If an organization reasonably needs more information to help it find your data or identify you, it has to ask you for the information it needs. It can then wait until it has all the necessary information before dealing with your request.
When it responds to your request, the organization should provide you with a copy of your data. It may do this electronically. If you need your data in another format, you must ask if this is possible.
- You are also entitled to be told the following things:
- What it is using your data for.
- Who it is sharing your data with.
- How long it will store your data, and how it made this decision.
- Information on your rights to challenge the accuracy of your data, to have it deleted, or to object to its use.
- Your right to complain to the ICO.
- Information on where your data came from.
- Whether your data is used for profiling or automated decision making and how it is doing this.
- If it has transferred your data to a third country or an international organization, what security measures it took..
When can the organization say no?
An organization may refuse your subject access request if your data includes information about another individual, except where:
- the other individual has agreed to the disclosure, or
- it is reasonable to provide you with this information without the other individual’s consent.
In deciding this, the organization will have to balance your right to access your data against the other individual’s rights regarding their own information.
The organization can also refuse your request if it is ‘manifestly unfounded or excessive’.
In any case the organization will need to tell you and justify its decision. It should also let you know about your right to complain to the ICO, or through the
How long should the organization take?
An organization has one month to respond to your request. In certain circumstances it may need extra time to consider your request and can take up to an extra two months. If it is going to do this, it should let you know within one month that it needs more time and why. For more on this, see our guidance on Time Limits.
Can the organization charge a fee for this?
A copy of your personal data should be provided free. An organization may charge for additional copies. It can only charge a fee if it thinks the request is ‘manifestly unfounded or excessive’. If so, it may ask for a reasonable fee for administrative costs associated with the request.
Raising a concern with an organization
You have the right to be confident that organizations handle your personal information responsibly and in line with good practice.
If you have a concern about the way an organization is handling your information; if it:
- is not keeping your information secure;
- holds inaccurate information about you;
- has disclosed information about you;
- is keeping information about you for longer than is necessary; or
- has collected information for one reason and is using it for something else;
We believe that the organization responsible should deal with it. We expect them to take your concern seriously and work with you to try to resolve it.
How should I raise my concern about how an organization has handled my information?
You can use the template letter below to help you raise your concerns.
[Your full address]
[Name and address of the organization]
[Reference number (if provided within the initial response)]
Dear [Sir or Madam / name of the person you have been in contact with]
Information rights concern
[Your full name and address and any other details such as account number to help identify you]
I am concerned that you have not handled my personal information properly.
[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]
I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me on the following number [telephone number].
What else should I do?
Here are some tips to follow when you raise your concern.
- Raise your concern quickly. People move on, memories fade and records are deleted in line with retention policies. The longer it takes to raise your concern with an organization, the harder it will be for them to look into it thoroughly.
- Send it to the right place. There’s no point in raising a matter quickly if it then takes weeks to get to the right department. Check the organization’s website or give them a call to make sure you have the right address. In some cases, you may be able to find it on our Register of fee payers.
- Write legibly. Typed or word processed documents are easiest to read. If you write your complaint by hand, make sure your writing is easy for others to understand.
- Keep your language simple. Although you will have checked our website to see what the relevant legislation says, don’t feel you have to quote it to raise a complaint. Just explain clearly and simply what has happened and, where appropriate, the effect it has had on you.
- Be specific. If you have had a long relationship with the organization concerned, resist any temptation to include historical or unrelated complaints in your letter. This can confuse matters and leave the organization unsure which of your concerns you really want them to deal with.
- Don’t move the goalposts. Include full details of your concern at the beginning. If the organization responds properly, don’t raise additional unrelated matters as part of that complaint. However, if it appears that the organization has misunderstood you, or has not given a full response, you should let them know.
- Stay reasonable. You may be justifiably angry or upset about what has happened. Keeping your letter calm and polite will help you get your points across more clearly. Remember that the person you are dealing with might have had nothing to do with the problem you had. Also, remember that they are only human. A rude letter might make it difficult for them to want to help.
- Don’t get personal. Don’t insult members of the organization’s staff. Apart from being unreasonable behavior, the response may lack focus if the writer feels obliged to defend his or her colleagues or staff.
- Request and respect timescales. Ask when you can expect the organization to respond and resist any temptation to contact them again before that. However, if you do not receive a response on time, you should chase it, although we recommend giving an extra couple of days to allow for administrative or postal delays.
- Include all necessary information. Include all relevant details such as account or patient numbers to help the organization identify you and your concern correctly.
- Include all necessary evidence. Send copies of all the key documents you have to evidence your complaint. Don’t send the originals as you might need them later. Also, don’t include additional documentation ‘just in case’. The more documents you send, the more likely it is that key information will be missed.
- Keep good records. Clearly date all letters, make notes of all related conversations and keep copies of everything.
- Exhaust the process. If the ‘final’ response you receive does not resolve the matter to your satisfaction but also signposts you to any further complaints or review procedure, make sure you exhaust that process before bringing the matter to our attention.
What’s the ICO’s role?
We give guidance and support to organizations to help them get things right. We can also help you take steps to address your concern. We can’t act as your representative, award compensation or – apart from from in the most serious cases – punish an organization for breaking the law. But we can help you understand how to best work with the organization to resolve your concern.
Should I raise my concern with the ICO?
If the organization has been unable, or unwilling, to resolve your information rights concern, you can raise the matter with us. We will use the information you have provided, including the organization’s response to your concerns, to decide if your concern provides an opportunity to improve information rights practice.
If we think it does provide that opportunity, we will take appropriate action. This could take a variety of forms.
You should raise the matter with us within three months of your last meaningful contact with the organization concerned.
You can follow the advice on this page, or you can raise your concern with us.
Heather Shirin Fine Art