Welcome to our website. If you continue to browse and use this website you are agreeing to comply with and be bound by the following terms which govern PASCAL THEATRE’s relationship with you in relation to this website.
PASCAL THEATRE may change these policies from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes.
The term “PASCAL THEATRE” “us” or “we” refers to the owner of the website. The term “you” refers to the user or viewer of our website.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. The cookie is used in most websites and helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. We use Google Analytic to monitor the usage of our website. This helps us analyse data about web page traffic and improve our website in order to tailor it to our users needs. We only use this information for statistical analysis purposes only and do not hold any information that would allow user to be identified personally from web traffic logs.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
PASCAL THEATRE is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us firstname.lastname@example.org as soon as possible. We will promptly correct any information found to be incorrect.
By opting in to our mailing list, you agree to PASCAL THEATRE using your personal data to send you emails regarding PASCAL THEATRE. Your data will only be used by us to send you these communications. You can unsubscribe from this list now or anytime by clicking the unsubscribe link in the footer of any email you receive from us.
PASCAL THEATRE COMPANY GDPR POLICY Data Protection: Introduction
PASCAL THEATRE COMPANY (PTC) is a small scale arts company and Registered Charity.
We collect data from our Members and from others who attend our training courses and events and from staff, contractors and suppliers.
This Policy sets out our procedures for the collection, storage, use and sharing of personal data and data for electronic business to business communications.
The Policy will be reviewed by the Board every three years, or earlier if there are changes to legislation and/or PTC’s use of data. Current relevant legislation is: the Data Protection Act (“the Act”), the General Data Protection Regulations (“the GDPR”) and the Privacy and Electronic Communications Regulations (“PECR”) ).
What data is relevant?
Data Protection legislation is concerned with the use of personal data, held on electronic systems, in paper filing and online identifiers such as location data and cookies.
Personal data is defined by the Information Commissioners Office (“the ICO”) as data that relates to a living individual who can be identified:
- from that data, or from that data and other information in the possession of (or likely to come into the possession of) the data controller such as expressions of opinion about an individual;
- from codified records that do not identify individuals by name but, for example, bear unique reference numbers that can be used to identify the individuals concerned.
Special categories of personal data means information that could be used in a discriminatory way. This might include:
- ethnic origin
- political opinions
- religious beliefs or other beliefs of a similar nature
- trade union membership
- physical or mental health or condition
- sexual life
- any proceedings for any offence committed or alleged to have been committed by the
data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
Who’s who in data processing
A data subject: anyone whose data is processed.
A data controller: the organisation/ person who decides how and personal data is/will be, processed. Data controllers will usually be organisations, but can be individuals, for example self-employed consultants.
A data processor: any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
In line with the GDPR we will ensure that when we process personal data we have the data subject’s consent and that the data subject has been made aware that they have the right to withdraw their consent. Consent must be:
- specific to the purpose for which we are using the data;
- active not implied: silence is not consent; pre-ticked boxes, inactivity, failure to opt-out or passive acquiescence will not constitute valid consent;
- freely given: consent will not be valid if the data subject does not have a genuine and free choice or cannot refuse or withdraw consent without detriment. Ways in which we may ask for consent include
- written consent;
- ticking a box on a web page;
- choosing technical settings in an app;
- verbal consent (which is then recorded in writing);
- any other statement/conduct that clearly indicates (in this context) the data subject’s acceptance of the proposed processing of personal data e.g.: cookie acceptance.
In line with PECR we will not contact individuals for direct marketing purposes by email, the internet, phone, fax or any new electronic systems that may be introduced without prior consent. (NB: Business to business communications to generic addresses such as “admin@” “info@” do not require consent.)
We provide opt-out opportunities in every mailing to ensure compliance with the principle that data held should be accurate and up to date.
All our mailings make it clear who the sender is, so the recipient’s ability to opt out is viable.
Who does PTC collect/process/store data from?
- Members: current, past and potential – this is unlikely to be personal data but it can be in some cases, particularly entry level organisations where people may be working from a home address and using personal email.
- Training: details of attenders and trainers – again this is unlikely to be personal data but may be from time to time.
- Staff recruitment: this will be personal data.
Staff records: this will be personal and some may be special category data.
How do we deal with data?
Members-joining PTC: our membership form makes it clear that we do not share data with any third parties and that applicants are given the choice to opt in to:
- PTC processing any personal data they may provide;
- PTC using their data for marketing purposes, i.e. to send news and training and events information;
- publication of email address/phone number on the PTC website.
Members-leaving PTC: member data will be deleted 12 months after membership lapses for any reason and this will be indicated on our renewal reminder letters. Members shall be given the option to have their data deleted earlier or retained longer.
PTC training booking forms include tick boxes to indicate:
- consent to PTC processing any personal data, in relation to the course booked;
- consent to us retaining any personal data provided for future notification of information about PTC training courses.
It also includes a statement that we do not sell, trade or rent personal data to others, information about the right to be forgotten and information on how to make a data subject request.
Our application form includes a declaration stating that the applicant understands that personal data is being processed solely for the purpose of this specific job application and that sensitive data in the Equal Opportunities Monitoring form is processed anonymously. It also states that we do not sell, trade or rent personal data to others, that application material will be destroyed after 12 months and information on how to make a data subject request.
Staff recruitment – diversity monitoring
These forms contain special category data by definition, however they are anonymous, separated from job application forms immediately and are destroyed as soon as the data is
processed. This is indicated on the form. Statistics drawn from this data will be kept for future use.
Our staff contract reflects the fact that the law allows us to collect some data about employees and that employees have the right to access this. The relevant clause says:
- Data protection: for the purposes of administration and fee payments, it is necessary for PTC to hold and sometimes disclose certain personal data about employees.
- Any data PTC holds about the Employee will only be held for so long as the Employee works for us, unless we are required to hold it for longer in order to comply with the law.
- PTC shall take every care to ensure personal data is held securely and in confidence.
- The Employee has the right to inspect data that PTC holds about her and, if necessary, update that data. Normally inspection of files can be within 10 working days of a request.
- If the Employee’s personal information changes at any time, the line manager must be informed as soon as possible to ensure that the information remains accurate.
Deletion of data: data subjects have the right to request to be “forgotten”, PTC will delete records in line with GDPR as follows:
- when processing can cause substantial damage or distress;
- where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
- if the personal data was unlawfully processed.
PTC will not always delete records, a request to be forgotten can be refused where data has been processed:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
- for public health purposes in the public interest;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- for the exercise or defence of legal claims.
Data Protection Officer
PTC does not need a designated Data Protection Officer under the GDPR, however, the General Manager is responsible for ensuring Data Protection Compliance, working with the Communications Co-Ordinator and the Legal & Industrial Relations Manager as appropriate.
Appendix A – The principles of good data protection practice
PTC processes data in line with the Act, which says that:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for specified, lawful purposes and shall not be further processed in any manner incompatible with such purpose(s).
- Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose(s) shall not be kept for longer than is necessary.
- Personal data shall be processed in accordance with the rights of data subjects under the Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction of or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Appendix B – Statutory Data Retention Periods
Accident books, accident records/reports: three years from the date of the last entry. Accounting records: six years for us as a Company Guaranteed Against Loss.
Appendix C – Recommended non-Statutory Data Retention Periods
Application forms and interview notes (for unsuccessful candidates): 6 months to a year. Successful job applicants documents will be transferred to the personnel file.
Assessments under health and safety regulations and records of consultations with safety representatives and committees: permanently.
Personnel files and training records (including disciplinary records and working time records): six years after employment ceases.
Sickness Records to be kept for a minimum of three months after the end of the period of sick leave in case of a disability discrimination claim..
Trustees’ minute books: permanently.