We are committed to protecting your personal information and being transparent about what information we hold about you. Using personal information allows us to develop a better understanding of our patrons and in turn to provide you with relevant and timely information about the work that we do - both on and off stage. As a charity, it also helps us to engage with potential donors and supporters.
The purpose of this policy is to give you a clear explanation about how we use the information we collect from you directly and from third parties. We use your information in accordance with all applicable laws concerning the protection of personal information. This policy explains:
- What information we may collect about you
- When and how we may use that information
- In what situations we may disclose your details to third parties
- How we keep your personal information secure
- How long we maintain it for and your rights to be able to access it
1. Contacting Rose Theatre Kingston
For the purpose of the General Data Protection Regulation (GDPR) the data controller is Kingston Theatre Trust trading as Rose Theatre Kingston, which is a charity funded by a number of local organisations, trusts and foundations, individual donors and supporters. Our registered charity number is 1000182 and we are also registered as a company in England and Wales under registration number 2497984.
FAO: Data Protection Team
24-26 High Street
KT1 1 HL
Email: [email protected]
Please note: If you wish to opt out of any communication or amend your contact preferences, you can do so by logging into your account or by contacting us as per the details above.
2. What personal information we collect
2.1 Information you give us – For example when you register on our website, buy tickets, make a donation, register for a workshop or other activity, we’ll store personal information you give us such as your name, email address, postal address, telephone number and card details. We will also store a record of all your orders and donations. This information will be held on our system and may be used for operational purposes, such as the processing of bookings and orders in connection with our online ticket ordering services and for mailing list subscriptions (see Section 4. How and why we use your personal data).
In order to process a transaction, your personal information and card details may be passed to third party service providers. Card details will only be used for the purpose of handling an individual transaction unless you opt to store them for future transactions (see Section 8. Security – How we protect your data).
2.2 Young people – our policy is to take bookings for events or activities from people aged 18 years and over. We may ask you to confirm your age when you book an event with us and, if you book a workshop or other activities for young people aged 18 or under, we may ask for extra information, such as the young person’s name, date of birth, school, parent or guardian’s name, address, email, emergency contact, photo/filming consent. We will use this information where we are satisfied that we have a legitimate interest to do so, for example, to provide information in advance of an event, to monitor attendance at a workshop, and to provide a safe environment for all participants. We may also ask for information about any relevant disability or health issues. We will only use this information where we have consent to do so or, if the person is under 18, we will ask for the parent or guardian’s consent. This information will be held on our system and used for operational purposes only, such as for the fulfilment of your booking or order (see Section 4. How and why we use your personal data).
2.4 Special categories of personal data – data protection law recognises that certain categories of personal information are more sensitive such as health information, race, religious beliefs and political opinions. We do not usually collect this type of information about our patrons unless there is a clear reason for doing so. For example, we may collect health information about patrons with specific access requirements or participants in our programme of classes and courses in line with our legitimate interest to provide a safe environment for all patrons and participants. When processing this data, we will always ask for your consent first. This information will be held in our system and will only ever be used for the purposes of fulfilling your booking or order to the best of our ability.
2.5 We may also collect generic information about your visit or use of the Rose website such as your IP addresses, geographical location, browser type, referral source, length of visit and number of page views. We may use this information for security purposes as well as, but not limited to, optimising the use of the Rose website. For example, we may use third party contributors such as analytics service providers for website traffic analysis and reporting and to track information such as which browser, screen resolution and IP address you are using to access our website, in addition to tracking your movements around our website. This information is always anonymized unless it is required for legal or security purposes.
3. The legal basis we rely on to process your personal data – According to current data protection laws, there is a series of bases under which we may process your data. These include:
3.1 Contractual obligations – when you make a purchase from us, you are entering into a contract with us. In order to perform this contract, we need to process and store your data. For example, we may need to contact you by email or telephone in the case of cancellation of a show, or in the case of problems with your payment.
3.2 Legitimate interest – In certain situations (when you make a donation for example) we collect and process your personal information to pursue our legitimate interests in a way which might be reasonably expected as part of running our business and which does not materially impact your rights, freedom or interests. When you book a ticket or activity we may also use your booking history to send you personalised offers or marketing information by email or post about similar events and initiatives that we think may be of interest to you (you may opt-out of receiving these at any time using the contact details at the beginning of this policy). For research and reporting purposes (mostly anonymously), we also combine the booking history of many patrons to identify trends and ensure we provide best customer service. Please see paragraph 5. Disclosure of your information to check where we may use this basis for processing.
3.3 With your explicit consent – In certain situations, where the two bases above are not appropriate, we will instead ask for your explicit consent before using your personal information. For example, when you tick an opt-in box to receive specific communications. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service or offer.
3.4 Legal compliance – If the law requires us to, we may pass on details of people involved in fraud or other criminal activity which may affect the Rose.
Less commonly, we may process your personal information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.
4. How and why we use your personal data
a)To process or fulfil any bookings or orders that you place online, in person or over the phone;
b) To provide you with marketing information by email or text about relevant products, services and events that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes or it is our legitimate interest to do so;
c) To provide you with marketing information by phone about relevant products, services and events that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes or it is our legitimate interest to do so and we have checked the telephone preference service and our own marketing preference records;
d) To provide you with marketing information by post about relevant products, services and events that we feel may interest you, where it is our legitimate interest to do so or you have consented to be contacted for such purposes;
e) To provide you with marketing communications by post, email, web, text and/or phone about relevant products, services and news of other third parties that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes;
f) To conduct fundraising activities and to promote the charitable interests of the Rose, where you have consented to be contacted for such purposes;
g) To administer giving and membership schemes, when you sign up to them;
h) To ensure that our fundraising resources are applied in an effective and efficient manner, and that any communications we may send you are appropriate and will be of interest;
i) To enable you to create an account and participate in interactive features of our website, when you choose to do so;
j) To provide customer service in relation to your use of the Rose website, to deal with enquiries and complaints and to notify you about changes to our services;
k) To administer, support, improve and develop our website, ensuring that its content is presented in the most effective manner for you and for your computer;
m) To improve our website, we may analyse information about how you use it and the content and ads that you interact with. We may also monitor users’ use of the website to enable us to analyse audience make-up, track booking patterns, review audience attendance and review other site behaviour in order to determine what other products, services and events you may be interested in and in order to assist us improve our business generally. We’ll do this on the basis of our legitimate business interest;
n) To send you surveys and feedback requests to help improve our services – participation in these is entirely voluntary and you therefore have a choice whether or not to disclose any information which might be required. We’ll do this on the basis of our legitimate business interest as this will help us make our products or services more relevant to you;
o) To provide third parties with statistical information about our users but this information will not be able to be used to identify any individual user;
p) To identify and prevent fraud or any other criminal activity.
5. Disclosure of your information
5.2 Direct marketing – we aim to communicate with you about the work that we do in ways that you find relevant, timely and respectful. To do this we use data that we have stored about you, such as what events you have booked for in the past, as well as any preferences you may have told us about. We use your explicit consent or our legitimate organisational interest as the legal basis for communications by post and email. You may opt-out of receiving these at any time using the contact details at the beginning of this policy.
Being a charity the Rose relies on the support of a range of donors and supporters, when you purchase tickets you are also given the opportunity to opt in to receiving information about the Rose fundraising initiatives. We will contact you for these purposes only if the relevant box has been ticked. You can opt out or change your contact preferences at any time.
When you purchase tickets you are also given the opportunity to opt in to receiving information from other arts organisations and our sponsors or partners. The Rose will only share your personal information with these organisations if the relevant box has been ticked. You can opt-out or change your contact preferences at any time.
5.3 Email marketing – When purchasing tickets, workshops or other activities/events, we may send you information about similar products, services and events which we feel may interest you, where you have consented to be contacted for such purposes or it is our legitimate interest to do so. You are given the opportunity to opt out from any marketing communication on every subsequent marketing email you receive. You can also opt-out or update your contact preferences at any time by logging into your account, or you can alternatively use the contact details at the start of this policy.
5.4 Other processing activities – To comply with our obligations as a charity, we must take reasonable and appropriate steps to know who our donors are, in order to effectively manage relationships, particularly when significant sums are being donated. This means that we may conduct research, including accessing publicly available information on prospective donors or corporate partners, including individuals and organisations, to ensure that accepting support is in the best legitimate interest of the Rose. This will help to give assurance that the donation is from an appropriate source and to safeguard our reputation. This does not mean that we will question every donation, nor that we will research lots of personal and other details about every donor. Any information we do collect for this purpose will only consist of what is necessary for us to meet these requirements and will be processed in line with your rights.
5.5 Third parties – We sometimes share your personal data with trusted third parties, including:
- Any third party to whom disclosure is necessary to enable us to provide you with any service to which you have subscribed (including, but not limited to, for the purposes of processing payments, or designing, maintaining and administering the Rose website).
- Other carefully selected third parties (eg visiting shows) to contact you about events or services which may be of interest to you, only if you have consented to be contacted by third parties for such purposes.
- Direct marketing companies who help us manage our postal and electronic communications to you.
- Audience research companies that may work with us to improve our services to you (in this case, all data is treated anonymously).
- Google/Facebook to show you products that might interest you while you’re browsing the internet. This is based on your acceptance of cookies on our website. Please refer to section 6. Cookies for details.
- In order to enforce any terms and conditions or agreements between us.
- As part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation (we will always notify you in advance and we will aim to ensure that your privacy rights will continue to be protected).
- To protect our rights, property and safety, or the rights, property and safety of others (this includes exchanging information with other companies, organisations and regulators for the purposes of fraud protection and credit risk reduction).
In these cases, we require that these third parties comply strictly with our instructions and with data protection laws.
5.6 If we are required by law or requested by the police or a regulatory or government authority investigating potentially illegal activities to provide information concerning your activities whilst using the network we shall do so. We may also disclose personal information to appropriate third parties to assist in anti-fraud checks and investigations.
In all of the above cases we will always keep your rights and interests at the forefront to ensure they are not overridden by your own interests or fundamental rights and freedoms. You have the right to object to any of this processing at any time. If you wish to do this, please use the contact details at the beginning of this policy. Please bear in mind that if you object this may affect our ability to carry out tasks above that are for your benefit.
In order to fulfil our obligations to you and deliver the best possible level of customer of care, we currently use the following companies who will process your personal data (sometimes entirely anonymously) as part of their contracts with us:
Box Office system: Spektrix
Banking and payment service providers, such as CAF Bank, Metro Bank, NatWest, Global Payments, Paymentsense, SagePay
Design, website, media agencies and service providers such as Feast Creative, TCS Media, Google Display Network
Mailing houses, such as Graphic Design House, Royal Mail
Audience research agencies, web analytics services and data management systems and communication platforms, such as Audience Agency, Purple Seven, Google Analytics
IT support agencies, such as Focus IT
Social networking websites and services, such as Facebook, Instagram, Twitter
Law firms and legal advisors, such as Moore Stephens, Russell Cooke
Ticket agencies, such as Ticketmaster, Ingresso, Encore, SeeTickets, LittleBird, Travelzoo
6.2 Therefore, we may send a cookie which may be stored by your browser on your computer’s hard drive. We may use the information we obtain from the cookie in the administration of the Rose website, to improve the site’s usability and for marketing purposes. We may also use that information to recognise your computer when you visit the site, to monitor website traffic and to personalise the site for you.
6.3 If you do not wish us to install cookies on your computer for these purposes, you may change the settings on your internet browser to reject cookies. For more information, please consult the ‘Help’ section of your browser. Please note that if you do set your browser to reject cookies, you may not be able to use all of the features of our site.
6.4 As mentioned above, we may use an analytics service provider (such as Google Analytics) for website traffic analysis and reporting. Analytics service providers generate statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated relating to the site may be used to create reports about the use of the site and the analytics service provider will store this information.
7. Third party sites and contributors
8. Security – How we protect your data
8.1 We employ security measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage. We store all the personal information you provide, including your login and user details (where applicable), on our secure servers. All electronic transactions you make to or receive from us will be encrypted using SSL technology. Only employees and approved contractors/developers we may appoint from time to time, and who need the information to perform a specific job, are granted access to personally identifiable information. If you use your credit or debit card to purchase from us or to make a donation, we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). We optionally allow you to store your card details for use in a future transaction. This is carried out in compliance with PCI-DSS and in a way where none of our staff members are able to see your full card number. We never store your 3 or 4 digit security code.
- We store papers in lockable cabinets in our offices when not being actively used and we have a secure off-site document storage facility for archived papers.
- Our offices are secure and only personnel holding appropriate security passes can access areas where personal data are stored.
- When necessary, we dispose of or delete your data securely.
- We ensure that our employees, agents and contractors are aware of their privacy and data security obligations and we take reasonable steps to ensure that employees of third parties working on our behalf are aware of their privacy and data security obligations.
- We limit access to your personal information to those employees, agents, contractors and other third parties who have a need to know
8.2 Regular security reviews are held by us to ensure that the site remains safe and secure for your protection.
8.3 Data transmission over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
9. International Data Transfer
9.1 Our servers are situated in the UK, however we collect data from wherever users are situated. The information that we collect may therefore be transferred to the UK from any other country in which you may be located and will be subject to the UK data protection laws.
9.2 Your personal data may be transferred, processed and/or stored outside the European Economic Area (EEA), for example if the supplier or service provider of our choice is based outside the EU. If we transfer your information outside of the EEA in this way, and the country in question has not been deemed by the EU Commission to have adequate data protection laws, we will provide appropriate safeguards and we will be responsible for ensuring your privacy rights continue to be protected as outlined in this notice. By submitting your personal data, you agree to this transfer, storing or processing.
10. Data retention – How long we will keep your personal data
10.1 We will retain your information, including your name, address, email, phone number and card details (where applicable), for the duration of your membership of the site (where applicable) and for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
10.2 To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
10.3 At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning and reporting. If you haven’t used your account for a number of years, it will be flagged as ‘inactive’ and treated accordingly (we’ll either delete it or anonymise the data associated with it).
Our retention periods may be extended or reduced if we deem it necessary, for example, to defend legal proceedings or if there is an on-going investigation relating to the information.
11. Your rights
11.1 Under certain circumstances, by law you have the right to:
- Access the information held about you (commonly known as a "data subject access request")
- Ask us to make any necessary changes to ensure that it is accurate and kept up to date.
- Ask us to erase your personal information from our files and systems where there is no good reason for us continuing to hold it.
- Object to us using your personal information to further our legitimate interests (or those of a third party) or where we are using your personal information for direct marketing purposes.
- Ask us to restrict or suspend the use of your personal information, for example, if you want us to establish its accuracy or our reasons for using it.
- Ask us to transfer your personal information to another person or organisation.
You also have rights in relation to automated decision making which has a legal effect or otherwise significantly affects you. We do not carry out any automated processing, including profiling, which produces significant legal effects concerning you.
If you wish to exercise any of these rights, please contact us (see paragraph 1. Contacting Rose Theatre Kingston).
11.2 You may request us to cease sending you any marketing information at any time by updating your profile and contact preferences online or by notifying us in writing – please see paragraph 1. Contacting Rose Theatre Kingston. However, if you withdraw your consent to certain types of processing we may be unable to fulfil our obligations to you (eg provide customer service, process ticket bookings) or maintain your membership of the Rose website.
11.3 If you are under 18, please ensure that you obtain your parent/guardian's consent beforehand whenever you provide personal information to the Rose.
12. Queries and Complaints
12.1 If you have any questions about this privacy notice or how we handle your personal information, please contact us (see paragraph 1. Contacting Rose Theatre Kingston).
12.2 You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.