Yup, since the GDPR implementation, it seems you, I, and everyone else need to be concerned about how our data is stored and used. Of course there is truth in that; we don't want to disclose our credit card numbers and the security code to everyone. On the other hand there's little issue with letting people have your bank account details because it's printed on every blasted cheque you've ever written out. So let's get real:
Personal data I collect
If you contact me about photography, either for example to buy a print, or commission me to shoot your event, I will collect some or all of the following: your name so I know what to call you beyond thingummy; your email address so I can communicate with you; any email communication between us; your telephone number(s), in order to speak to you and discuss matters; any text conversation via a messenger service (phone, Whatsapp etc.); and your address so that I can send you any photographs you have ordered, and attend any photographic shoot or meeting you may require at your home. Basically that's the information I need in order to do my job. If you want to know how that fits in technically with GDPR then it means I have a legitimate interest in that data in order for my business to function.
How that data is collected and kept
Well, basically, you give it to me. If you use the contact form on this website then I get an email delivered to my email address and that shows your email address, it does not, however, immediately store your address in any contact list until I contact you through it. With telephone numbers - call me and your call will be stored in the call log with the number (if you've allowed your phone to disclose the number).
I do not currently run an automated email service, nor keep any cookie data. The website is secure (https://) behind a firewall and hosted by Wix, so things posted through the contact form and blog are secure. Which brings us to...
There is a blog on this website (you hadn't noticed, had you. Tsk!). I use it, not as much as I should do, to keep people informed as to what I'm doing photographically speaking - exhibitions, particularly interesting shoots, news about any new gizmo I might have bought, yada, yada, yada. You can comment on that if you want to, and if you do it's public, so public in fact that anyone who looks at that blog post will see it. So don't post anything on there that you don't want disclosed such as your credit card numbers,your PINs, your computer usernames and passwords. You may post anyone else's card numbers, PINs etc., the question would then be how you came to be holding them.
Your rights to confirm things, access them, rectify them and ask for them to be removed
If you want to know about how any of your personal data is handled then get in touch and I'll let you know. I'm fine about showing you the data I have on you and, strangely enough, it'll only be the stuff you've passed on to me. If any of the information is wrong then you have the right to have it corrected, which is good for both of us because I'd rather be communicating with the Joe Bloggs that I think I'm contacting than some other Joe Bloggs on the other side of the planet (it happens, I've been the recipient of emails from real estate companies, and martial arts clubs in the USA and opticians in Canada just because they've omitted an initial in the email address name or confused a letter in the surname). If you want all your personal data deleted then you can request it, and I'll do it, but if that happens then I won't be able to complete any work for you that you may have requested.
What I'll do, and not do, with your personal data
I'll use it responsibly. Contact me about something and I will get back to you by email, phone, letter to discuss the matter. What I won't do is pass your email etc. on to anyone else, and that includes (in the case of weddings) my second shooter unless we have already agreed on the matter. I won't be sending you out loads of newsletters because I don't produce loads of newsletter.
However if you are or have been a client of mine, bought a print in the past and/or dropped your email on a visitors book at an Open Studios event or another of my exhibitions, you may get the occasional invite to an upcoming exhibition, which if you're into a bit of free booze and nibbles might be a good thing. If you don't want that, then just ask and I'll drop you from the address list (see above).
As far as this concerns me (and you in this instance), this means a photograph taken by me of your face. The rules from the EU haven't been too clear about what this means for photographers except that we need to demonstrate reasonable and legitimate use. It means that if you ask me to shoot your music gig, wedding, promotional photos, headshots, then obviously I'll have your face-based data - an image of you. After all that's the idea! What it doesn't mean is that I'm going to sell that image to any other person, company, or organisation. If I am approached by another body to buy one of your photos then I will contact you.
Of course if it's a wedding shoot then there will likely be guests and family there who will also be photographed. Now, it's reasonable to expect a photographer (or ten) at a wedding so turning up at one kind of says you're accepting the fact that you'll likely role up in a photo at some point. All I'd ask is that if I'm shooting your wedding, bar mitzva, funeral or sporting event, then it's made clear to guests and so forth that photographs will be being taken, and that if anyone really, really does object then to let themselves be known to me.
Like most businesses, and photographers in general, I do like to show my work on Facebook and Instagram. Now, most of my stuff is architecture and landscape so really this whole privacy thing is irrelevant. But for the occasional wedding, music gig, and promo material shoot that I do it's good advertising to promote that work, so I'd really like to be able to punt a few photos of you onto FB, Insta, maybe Flickr, and this website if you're ok with that; but I'll ask first and clarify which images I'm looking at, and make sure everything is cool with you (and hey, if you're that muso I've shot for your latest tour and album I'm giving you a bit of publicity too!).
Basically the GDPR rules mean that I've got to be reasonable and fair in my use of your personal data within the area of my job as a photographer, and that I won't abuse the trust you have given me by passing that data to me.