Date of creation: May 2018
Date of next review: May 2019
For a PDF copy of this document, please follow this link: online copy.
SMASHfestUK, trading as The Refinery Productions Ltd., are a not-for-profit community organisation that brings informal educational opportunities to young people and their families through Arts and STEM activities. Our activities include, but are not limited to, an annual free community STEAM festival, educational projects and STEAM outreach in schools in collaboration with other organisations. In order to do this effectively, we sometimes need to collect, hold and use some personal data (information) from individuals such as, but not solely, name or contact details. This policy explains what we do, why and how we keep your data secure. You may share your personal data with SMASHfestUK / The Refinery Productions Ltd. when you sign up for an event, sign up to our mailing list, participate in our evaluation activities or decide to collaborate with them. We also may collect data from you in order to fulfil a request e.g. to respond to a question you have raised or have contacted you to seek a work collaboration. Under the General Data Protection Regulation (GDPR) 2018 we have a legal responsibility to ensure that data is processed lawfully, fairly and in a transparent manner in relation to individuals. We must ensure that the personal data we hold is:
- Collected for specific, clear and legitimate purposes and only used in the ways which were specified when the data was originally collected.
- Relevant and limited only to the data that we need
- Accurate as far as is reasonable and kept up to date where required
- Only kept for as long as is necessary and securely destroyed afterwards
- Processed securely
How we use your data
When you provide us with your data, either via a form on our website (e.g. sign up to an event or our mailing list), on a paper form or over email, we will be clear with you about why we need this information, how we store it securely and how we use it.
Ticketing data (e.g. transactions that require you to sign up to/attend an event and buy/request a ticket for one of our activities).
Mailing list (e.g. you provide us with data that we will use to get in contact with you via email).
When you sign up to our mailing list you will be able to choose what contact information you provide and how we contact you, if applicable, and what we contact you for. We may also use this data internally for monitoring responses to our mail outs and understand our audiences better.
Photo Consent (e.g. you provide with consent to use media records for different purposes, which usually involves providing us with data that identify the person that provides consent).
In the case of events and other activities requiring so, we will ask you if you want to give us consent to take photos/film and or/comments of you/your child (as applicable) as a record of the day and for promotional purposes. These media may appear on our website, social media, email newsletters, in our printed material produced for promotional purposes (includes leaflets, posters and adverts), in materials sent out to the media or in reports to funding bodies. In this case, we will ask you to provide us with relevant details so that we can notify you of any changes in our policy and identify those that give consent from those that don’t. We will not include personal details, e-mail or postal addresses, telephone or fax numbers on any of the public materials previously cited. However, these details will be stored using GDPR compliant software that can be secured and kept on these for the relevant amount of time (usually 5 years). It is important to notice that we will modify our photo consent forms according to the needs of the event it has been created for. Although some details (such as what and why the data is needed) might change on a project-by-project basis we will keep the general guidelines of the photo consent and privacy policies as previously outlined, which you will be able to read before filling out the form. In any circumstance, our photo consent forms will clearly state the reasons why we need your data, how it is treated, how to opt-in and how to opt-out.
If you provide your data to us for any other purposes, we will be clear about what we need and why, how your data will be used and how you can opt out of this where applicable e.g. ‘unsubscribe’ button at the end of the email.
We do not share your data with any third-party organisations for them to contact you unless you have given specific consent for this. For example, if you come to an event/see a show you may choose to sign up to receive information from that particular performance company as well as from SMASHfestUK. We work with GDPR compliant organisations to process your data. Those organisations cannot use your data themselves for any other purposes and we remain the data controllers.
How we keep your data secure
We keep your data secure by using GDPR compliant software and organisations to process your data, for example, GDrive which has built-in security settings which we can use to protect your data. At times, we will need to gather data through physical forms (e.g. photo consent form). These physical documents will be:
Scanned and uploaded on GDPR-compliant software, these will be then used as online copies only for the amount of time specified (e.g. 5 years if a photo consent form).
The physical copies will then be securely destroyed.
If you were to enforce your right to be forgotten, we will dispose of the online copies via the relevant procedures, of which you will be notified. Any documents or software containing your data will be password protected and only authorised members of SMASHfestUK staff will have access to this data if they need it to undertake their duties (e.g. Data Protection Officer)
You can withdraw your consent to your data being processed at any time. You can also request to restrict processing e.g. that we can use your data to send you information about one type of activity but not another. You should also be able to quickly and easily request that the data we hold about you is updated and any corrections made. You also have the right to be forgotten e.g. all data held about you removed, and the right to data portability e.g. for us as an organisation to provide your data in a format which is then suitable to be transferred to another organisation or that we undertake that transfer for you. If the data is being processed for any other purposes that will impede us from fulfilling the request, we will explain to you why this is the case. You can also submit a subject access request, whereby we as an organisation would provide all of the data we hold on you. This must be done free of charge and within one month of the request. As an organisation, we can extend the period of compliance by a further two months where requests are complex or numerous and we will inform you within one month of this and explain the reasons why. If a request is excessive or clearly without relevant purpose, in particular where it involves repetitive tasks, we can choose to charge a reasonable fee, proportionate to the administration incurred or to refuse the request. In the event that a request is refused, we will respond within one month to explain the reasons for this decision and inform you of your right to complain to a supervisory authority or take legal action.
For any questions about the way we use data, the data we hold on you or to change or update your preferences, please contact email@example.com with subject ‘Data Protection Officer - GDPR query’.
Cookies & our website (www.smashfestuk.com)
Date of creation: May 2018
Date of next review: May 2019
(Please be aware that reviews of this policy can happen at any time. You will be notified of these changes and will be given a time period to review your consent)