PAVILION

Privacy Policy

Last updated 24 May 2019

1. Who we are
Pavilion is a company limited by guarantee (no.01692928) and a charity (Registration no.513682).

2. Purpose of this Notice
This Notice explains how we will collect and use your personal data. We are the data controller for personal data that we process about you. Throughout this Notice, “we”, “our” and “us” refers to Pavilion, “you” and “your” refers to those expressing an interest in Pavilion’s activities, including audiences, participants and collaborators, together with those who later become a collaborator with Pavilion.

3. Change in the law
Until 24 May 2018 we shall process your personal data in accordance with the Data Protection Act 1998 (or DPA for short). From 25 May 2018, we shall process your personal data in accordance with the General Data Protection Regulations (GDPR). This Notice complies with requirements under both DPA and GDPR.

4. Changes to this Notice
Prior to the implementation of GDPR, we are likely to make changes to this Notice. We shall inform you of any changes to this Notice. Notification will be through the appropriate medium of communication e.g., where our main contact with you is by email, we will email you. Updates to our Privacy Policy will be made here.

5. Anything you are not clear about
If there is anything you are unclear about, please contact info@pavilion.org.uk and we will be happy to answer any queries you may have concerning this Notice or the way in which we process your personal data.

6. Where does Pavilion get your personal data from?
We obtain personal data about you from the following sources:
a) From you when you register onto our events, sign up to our mailing list, apply to our programmes of work, make a donation to us or contact us directly.
b) From previous interactions with us where you have shared your personal data for the purposes of collaboration, research and benefaction.

7. What type of information is collected from you?
The personal information that we may collect from you could include:
• Name and title.
• Contact information including email address.
• Demographic information such as the town or city you live in.
• Preferences of the type of information you would like to receive from us.
• Payment details if we have processed debit or credit card payments from you or have been supplied bank details.

8. Cookies
Google Analytics:
We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. This Analytics data is collected via a JavaScript tag in the pages of our site and is not tied to personally identifiable information. We therefore do not collect or store your personal information (e.g. your name or address) so this information cannot be used to identify who you are.

Third Party Cookies:
These are cookies set on your machine by external websites whose services are used by Pavilion, including social media platforms like Twitter and Instagram. You should be aware that these sites are likely to be collecting information about what you are doing on the internet, including on this website.

Links to other websites:
From time to time, we may provide links to other websites from our website. Our privacy policy is limited to our own organisation and website.

9. Categories of personal data being processed
We will collect and process personal data about you for the purposes described below.
We will not collect “sensitive personal data” as described under the DPA and “special categories of data” as described under the GDPR. Such “sensitive personal data” or “special categories of data” includes: information about your racial or ethnic origin, gender, sexuality, religious beliefs or other beliefs, physical or mental health and criminal history.

10. The purposes for which we process your personal data
In general terms, we process your personal data in order to administrate your engagement with Pavilion. This includes invitations to attend events and exhibitions, and notifications of opportunities to work collaboratively with Pavilion, including volunteer opportunities.
We may also use it as follows:
• To contact you with information you have specified you are interested in.
• For internal record keeping.
• For statistical reporting.
• For sector research purposes.
• To process an order or donation that you have made.
• To carry out our obligations with you in respect of a contract entered into by you and us.

11. The legal basis for processing your personal data.
Article 6(1)(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. E.g. joining Pavilion’s mailing list. Should you later wish to be removed from the Pavilion mailing list please use the unsubscribe link in any email that you receive. Alternatively, please contact info@pavilion.org.uk and we will remove you from our contact list or change your mailing preferences accordingly.
Article 6 (1)(b) Contract: the processing is necessary for a contract we have with the individual. E.g. the processing is necessary to fulfil a contractual commitment between us and you relating to the delivery of a project you are participating in.
Article 6 (1)(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations). E.g. processing personal data to comply with Pavilion’s legal obligation to HMRC.
Article 6 (1)(d) Vital interests: the processing is necessary to protect someone’s life. Sometimes in extreme circumstances Pavilion will have to release information to protect your interests. E.g. in medical emergencies.
Article 6 (1)(f) Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. E.g. contacting a journalist with Pavilion press information that they would expect to receive in their professional role (business to business activity).
It is recognised that some of the above grounds will overlap and that Pavilion could rely on multiple grounds justifying its lawful processing.

12. Who might we share your data with?
We do not sell information to third parties. We do not share information with third parties for marketing or promotional purposes.
We may have to share some information with third parties who are working on our behalf for example companies who are processing payments on our behalf or who provide us with software we utilise to store data, such as accountancy information, our bank or our data systems. They are only provided with the information required in order to undertake their services to us and are not permitted to utilise any of this information to carry out their own marketing.

13. Security
We are committed to ensuring that your information is kept safe and secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial processes to safeguard and protect your data.

14. Unwanted communication
You have a choice about whether or not you want to receive information from us, and the types of information you are interested in receiving. If we contact you with regard to information you do not want to receive, please contact info@pavilion.org.uk and we will remove you from our contact list or change your preferences accordingly.

15.Transfers to third party countries
Sometimes, to achieve the purposes for which we are processing your personal data, (e.g., an application to a commission or residency opportunity) we may need to share your personal data with other organisations based within the European Union or countries that have comparable levels of protection.

16. Retention Periods
We review our retention periods for personal information on a regular basis. Below outlines Pavilion’s current guidelines for retention of your data:
• Application data: application forms to Pavilion programmes and projects and interview information.
Maximum period: 12 months after cessation of relationship.
• Event data: details of who attended events. Maximum period: 12 months after event.
• Inbound queries: details of queries and actions taken. Maximum period: 12 months after cessation of relationship.
• Outbound queries: details of queries and actions taken. Maximum period: 12 months after cessation of relationship.
• Programme participation and partnerships: details of who received support through our programmes and what that support was, details of involvement with Pavilion as a collaborating partner.
Maximum period: 6 years after participation ends.
• Financial data: information relating to payments. Minimum period: 6 years after end of engagement. Maximum period: 6 years after end of engagement.
• Archive: The above retention periods will not apply in circumstances where we have made additional contractual agreements with individuals to archive project information or creative project outcomes in perpetuity.

17. Your rights as a data subject
Under GDPR you have the right to:
• Withdraw consent where that is the legal basis of our processing;
• Access your personal data that we process;
• Rectify inaccuracies in personal data that we hold about you;
• Be forgotten, that is your details to be removed from systems that we use to process
your personal data;
• Restrict the processing in certain ways;
• Obtain a copy of your data in a commonly used electronic form; and
• Object to certain processing of your personal data by us.
Please see https://ico.org.uk for further information on the above rights. You may also contact the Pavilion team at info@pavilon.org.uk for further information.
You have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Please see https://ico.org.uk.

18. Up to date information
If at any time your contact details or preferences change, please contact us to update the information we hold about you. Please contact info@pavilion.org.uk.

19. Children aged 16 and under
Children aged 16 or under should seek the permission of a parent or guardian before providing personal information.

20. Privacy policy review
This policy was last reviewed in May 2018 and is subject to regular review.

21. Concerns and contact details
If you have any concerns with regard to the way your personal data is being processed or have a query with regard to this Notice, please contact us at info@pavilion.ac.uk.
Our general postal address is Pavilion, 42 New Briggate, Leeds, LS1 6NU, UK. 

42 New Briggate
Leeds, LS1 6NU
UK

info@pavilion.org.uk

Company no.01692928
Charity no.513682