Last updated 24 May 2019
1. Who we are
Pavilion is a company limited by guarantee (no.01692928) and a charity (Registration no.513682).
2. Purpose of this Notice
This Notice explains how we will collect and use your personal data. We are the data controller for personal data that we process about you. Throughout this Notice, “we”, “our” and “us” refers to Pavilion, “you” and “your” refers to those expressing an interest in Pavilion’s activities, including audiences, participants and collaborators, together with those who later become a collaborator with Pavilion.
3. Change in the law
Until 24 May 2018 we shall process your personal data in accordance with the Data Protection Act 1998 (or DPA for short). From 25 May 2018, we shall process your personal data in accordance with the General Data Protection Regulations (GDPR). This Notice complies with requirements under both DPA and GDPR.
4. Changes to this Notice
5. Anything you are not clear about
If there is anything you are unclear about, please contact email@example.com and we will be happy to answer any queries you may have concerning this Notice or the way in which we process your personal data.
6. Where does Pavilion get your personal data from?
We obtain personal data about you from the following sources:
a) From you when you register onto our events, sign up to our mailing list, apply to our programmes of work, make a donation to us or contact us directly.
b) When you use our website.
c) From previous interactions with us where you have shared your personal data for the purposes of collaboration, research and benefaction.
7. What type of information is collected from you?
The personal information that we may collect from you could include:
• Name and title.
• Contact information including email address.
• Demographic information such as the town or city you live in, your age bracket.
• Information about what pages have been accessed on our website.
• Preferences of the type of information you would like to receive from us.
• Payment details if we have processed debit or credit card payments from you or have been supplied bank details.
Third Party Cookies:
These are cookies set on your machine by external websites whose services are used by Pavilion, including social media platforms like Twitter and Instagram. You should be aware that these sites are likely to be collecting information about what you are doing on the internet, including on this website.
Links to other websites:
9. Categories of personal data being processed
We will collect and process personal data about you for the purposes described below.
We will not collect “sensitive personal data” as described under the DPA and “special categories of data” as described under the GDPR. Such “sensitive personal data” or “special categories of data” includes: information about your racial or ethnic origin, gender, sexuality, religious beliefs or other beliefs, physical or mental health and criminal history.
10. The purposes for which we process your personal data
In general terms, we process your personal data in order to administrate your engagement with Pavilion. This includes invitations to attend events and exhibitions, and notifications of opportunities to work collaboratively with Pavilion, including volunteer opportunities.
We may also use it as follows:
• To contact you with information you have specified you are interested in.
• For internal record keeping.
• For statistical reporting.
• For sector research purposes.
• To process an order or donation that you have made.
• To carry out our obligations with you in respect of a contract entered into by you and us.
11. The legal basis for processing your personal data.
Article 6(1)(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. E.g. joining Pavilion’s mailing list. Should you later wish to be removed from the Pavilion mailing list please use the unsubscribe link in any email that you receive. Alternatively, please contact firstname.lastname@example.org and we will remove you from our contact list or change your mailing preferences accordingly.
Article 6 (1)(b) Contract: the processing is necessary for a contract we have with the individual. E.g. the processing is necessary to fulfil a contractual commitment between us and you relating to the delivery of a project you are participating in.
Article 6 (1)(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations). E.g. processing personal data to comply with Pavilion’s legal obligation to HMRC.
Article 6 (1)(d) Vital interests: the processing is necessary to protect someone’s life. Sometimes in extreme circumstances Pavilion will have to release information to protect your interests. E.g. in medical emergencies.
Article 6 (1)(f) Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. E.g. contacting a journalist with Pavilion press information that they would expect to receive in their professional role (business to business activity).
It is recognised that some of the above grounds will overlap and that Pavilion could rely on multiple grounds justifying its lawful processing.
12. Who might we share your data with?
We do not sell information to third parties. We do not share information with third parties for marketing or promotional purposes.
We may have to share some information with third parties who are working on our behalf for example companies who are processing payments on our behalf or who provide us with software we utilise to store data, such as accountancy information, our bank or our data systems. They are only provided with the information required in order to undertake their services to us and are not permitted to utilise any of this information to carry out their own marketing.
We are committed to ensuring that your information is kept safe and secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial processes to safeguard and protect your data.
14. Unwanted communication
You have a choice about whether or not you want to receive information from us, and the types of information you are interested in receiving. If we contact you with regard to information you do not want to receive, please contact email@example.com and we will remove you from our contact list or change your preferences accordingly.
15.Transfers to third party countries
Sometimes, to achieve the purposes for which we are processing your personal data, (e.g., an application to a commission or residency opportunity) we may need to share your personal data with other organisations based within the European Union or countries that have comparable levels of protection.
16. Retention Periods
We review our retention periods for personal information on a regular basis. Below outlines Pavilion’s current guidelines for retention of your data:
• Application data: application forms to Pavilion programmes and projects and interview information.
Maximum period: 12 months after cessation of relationship.
• Event data: details of who attended events. Maximum period: 12 months after event.
• Inbound queries: details of queries and actions taken. Maximum period: 12 months after cessation of relationship.
• Outbound queries: details of queries and actions taken. Maximum period: 12 months after cessation of relationship.
• Programme participation and partnerships: details of who received support through our programmes and what that support was, details of involvement with Pavilion as a collaborating partner.
Maximum period: 6 years after participation ends.
• Financial data: information relating to payments. Minimum period: 6 years after end of engagement. Maximum period: 6 years after end of engagement.
• Archive: The above retention periods will not apply in circumstances where we have made additional contractual agreements with individuals to archive project information or creative project outcomes in perpetuity.
17. Your rights as a data subject
Under GDPR you have the right to:
• Withdraw consent where that is the legal basis of our processing;
• Access your personal data that we process;
• Rectify inaccuracies in personal data that we hold about you;
• Be forgotten, that is your details to be removed from systems that we use to process
your personal data;
• Restrict the processing in certain ways;
• Obtain a copy of your data in a commonly used electronic form; and
• Object to certain processing of your personal data by us.
Please see https://ico.org.uk for further information on the above rights. You may also contact the Pavilion team at firstname.lastname@example.org for further information.
You have a right to complain to the Information Commissioner’s Office about the way in which we process your personal data. Please see https://ico.org.uk.
18. Up to date information
If at any time your contact details or preferences change, please contact us to update the information we hold about you. Please contact email@example.com.
19. Children aged 16 and under
Children aged 16 or under should seek the permission of a parent or guardian before providing personal information.
This policy was last reviewed in May 2018 and is subject to regular review.
21. Concerns and contact details
If you have any concerns with regard to the way your personal data is being processed or have a query with regard to this Notice, please contact us at firstname.lastname@example.org.
Our general postal address is Pavilion, 42 New Briggate, Leeds, LS1 6NU, UK.