privacy policy

for the: festival collection limited; trading as; sausage and cider fest

Last updated: 10th may 2019

Approved by: Group Marketing Manager

Introduction

Festival Collection Limited, (‘we’) is a Limited organisation whose registered address is PO Box 748, Fareham, Hampshire PO14.

These addresses are securely locked and alarmed when not occupied.

Festival Collection Limited needs to gather and use certain information about individuals.

These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored

to meet the company’s data protection standards — and to comply with the law

Why this policy exists;

This data protection policy ensures Festival Collection Limited:

Complies with data protection law and follow good practice
Protects the rights of staff, customers and partners
Is open about how it stores and processes individuals’ data
Protects itself from the risks of a data breach

Data Protection Law

The Data Protection Act 1998 describes how organisations — including [Festival Collection Limited ]— must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

Be processed fairly and lawfully
Be obtained only for specific, lawful purposes
Be adequate, relevant and not excessive
Be accurate and kept up to date
Not be held for any longer than necessary
Processed in accordance with the rights of data subjects
Be protected in appropriate ways
Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

People, Risks and Responsibilities

Policy Scope

This policy applies to:

The head office of Festival Collection Limited
All branches of Festival Collection Limited including and not limited to Sausage & Cider Fest
All staff and volunteers of Festival Collection Limited
All contractors, suppliers and other people working on behalf of Festival Collection Limited.

It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:

Names of Individuals
Postal Addresses
Email Addresses
Telephone Numbers
Any other information relating to individuals

Data Protection Risks

This policy helps to protect Festival Collection Limited from some very real data security risks, including:

Breaches of confidentiality.

For instance, information being given out inappropriately.

Failing to offer choice.

For instance, all individuals should be free to choose how the company uses data relating to them.

Repetitional damage.

For instance, the company could suffer if hackers successfully gained access to sensitive data.

Responsibilities

Everyone who works or is a potential contractor for or with Festival Collection Limited has some responsibility for ensuring data is collected, stored and handled appropriately.

Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibility:

The Board of Directors is ultimately responsible for ensuring that Festival Collection Limited meets its legal obligations.

The [Data Protection Officer], Elliott Dalton (ED) is responsible for:

Keeping the board updated about data protection responsibilities, risks and issues.
Reviewing all data protection procedures and related policies, in line with an agreed schedule.
Arranging data protection training and advice for the people covered by this policy.
Handling data protection questions from staff and anyone else covered by this policy.
Dealing with requests from individuals to see the data Festival Collection Limited holds about them (also called ‘subject access requests’).
Checking and approving any contracts or agreements with third parties that may handle  the company’s sensitive data.

The [IT Manager], Elliott Dalton, is responsible for:

Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
Performing regular checks and scans to ensure security hardware and software is functioning properly.
Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
The [Marketing Manager], Elliot Dalton, is responsible for:
Approving any data protection statements attached to communications such as emails and letters.
Addressing any data protection queries from journalists or media outlets such as newspapers.
Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

General staff guidelines

The only people able to access data covered by this policy should be those who need it for their work.
Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
ED will provide training to all employees to help them understand their responsibilities when handling data.
Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
In particular, strong passwords must be used and they should never be shared.
Personal data should not be disclosed to unauthorised people, either within the company or externally.
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

Data Storage

These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

When not required, the paper or files should be kept in a locked drawer or filing cabinet.
Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
Data should be protected by strong passwords that are changed regularly and never shared between employees.
If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
Servers containing personal data should be sited in a secure location, away from general office space.
Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
All servers and computers containing data should be protected by approved security software and a firewall.

Data Use

Personal data is of no value to Festival Collection Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
Personal data should never be transferred outside of the European Economic Area.
Employees should not save copies of personal data to their own computers.
Always access and update the central copy of any data.

Data Accuracy

The law requires Festival Collection Limited to take reasonable steps to ensure data is kept accurate and up to date.

The more important it is that the personal data is accurate, the greater the effort Festival Collection Limited should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
Staff should take every opportunity to ensure data is updated. For instance, By confirming a customer’s details when they call.
Festival Collection Limited will make it easy for data subjects to update the information Festival Collection Limited holds about them. For instance, via the company website.
Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.

Subject Access Requests

All individuals who are the subject of personal data held by Festival Collection Limited are entitled to:

Ask what information the company holds about them and why.
Ask how to gain access to it.
Be informed how to keep it up to date.
Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request.

Subject access requests from individuals should be made by email, addressed to the data controller at info@livetourpromotions.co.uk . The data controller can supply a standard request form, although individuals do not have to use this.

Individuals will be charged £10 per subject access request. The data controller will aim to provide the relevant data within 14 days.

The data controller will always verify the identity of anyone making a subject access request before handing over any information.

Providing Information

Festival Collection Limited aims to ensure that individuals are aware that their data is being processed, and that they understand:

How the data is being used
How to exercise their rights

To these ends, the company has a privacy statement, setting out how data relating to  individuals is used by the company is available on this website and by contacting Festival Collections Limited on the details above.

All of the above are data processors to Festival Collection Limited as data controller. We have GDPR compliant processor contracts in place with all of the above named parties. All processors undertake to keep the data within the EEA or are compliant and certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

Policy Statement

1. Festival Collection Limited intends to comply with GDPR or the same as subsequently enacted into UK domestic law at Brexit.

2. We will therefore:

Only process as much personal data as is necessary for the services we supply.
Only hold such data for so long as necessary for those purposes. In this connection we have decided that ten years following the last contact with an individual is usually an appropriate period to hold data covering the legal limitation period (six years) and a moderate margin. As in most cases this is only archived data is not sensitive, not dangerous and will not be used. there will be little risk to data subjects.
Only process such data on grounds for lawful processing provided within GDPR Article 6.
Send or otherwise provide appropriate notices (GDPR Articles 13 and 14) to those whose personally identifiable information (“Personal Data”) is processed by us including our employees, and individuals or individuals within partners who supply us with goods or services. We will also send such notices to individuals within organisations, to whom generic marketing communications (eg newsletters) are sent.

Not engage in direct marketing to clients or prospects otherwise than in accordance with the relevant legislation and guidance from the ICO.
Utilise appropriate organisational and technical measures to ensure that Personal Data processed by us is kept secure.
Where we use third party data processors, we will choose them carefully with a view to their data security and compliance with GDPR and have GDPR compliant contracts with them.
Not transfer Personal Data (which includes giving third parties access to it within our IT system) to recipients located outside the European Economic Area and the UK without confirmation from our Data Protection Officer that such transfer is lawful.
Update this document from time to time so that it remains an accurate record of our data processing activities and policies.

3. We conclude that where we hold and process such personal data for the purposes of direct marketing to those individuals’ employers we should, unless guidance from the ICO says otherwise, either:

1. obtain consent to that direct marketing from the individuals and send the notices required by Articles 13 and 14 to the individuals; or

2. be satisfied that we have a legitimate interest in holding that Personal Data and using it for that purpose.

Our processing

1. Customers

Personal data collected: Full Name, Email address, Telephone Number, Address
Special categories of data collected: None
Data origination: Provided by individual
Storage location: Mail Chimp, Fatsoma, Eventbrite, Squarespace, Google, Shopfy, Eventbrite
Identified data usage: Event ticket sales history, Event Sign up, New product introduction, Affiliated brands
Third parties with access: None
Retention period: 10 Years

2. Employees of suppliers, contractors and clients

Personal data collected: Email Address, Full Name, Business Name, Postal Address, Role Title, Telephone, Signature and Bank Details

Special categories of data collected:

Data origination: Provided by individual
Storage location: Eventbrite Server, Mail Chimp Server, Locked Filing Cabinet and Internal Server, Dropbox
Identified data usage: Client invoices, supplier payments, marketing and communications, credit management and fraud prevention
Third parties with access: Just Develop iT BOOKKEEPERS (Accountants), Xero - Accounting Software
Retention period: 10 Years

4. Data Storage

Festival Collection Limited stores and processes some of its data remotely:

Cloud-based platform providers Google, Eventbrite, Fatsoma, Mail Chimp.
Hard Drive stored safely at outsourced location in locked and secure position.

5. Organisational and technical measures

We use the following organisational and technical measures to ensure the confidentiality of personal data:
Provisions that contractors who process data are required to consider the use of lockable filing cabinets, secure storage for archived files and the use of a shredder or confidential waste bin for hard copies of paperwork, file notes, incoming and outgoing letter correspondence containing personal data.
For electronically held data employees who process data are required to consider using storage on the work one drive or platforms approved by the Data Protection Officer, password protection on all files containing personal data, the use of Festival Collection Limited Limited’s secure platforms for processing data, running up to date antivirus and malware systems, installation of adequate firewalls, the secure destruction or disposal of IT equipment.
Email accounts are individually assigned and not shared with colleagues or third parties. Access to emails are only authorised for third parties for specific purposes by Senior Management Team members.
We hold GDPR compliant contracts with all data processors.

6. Consent

We do not engage in direct marketing to individuals except in their capacity as a member of our Company or as a conduit for our company.

Following consultation with the ICO and a review of the appropriate legislation, we have concluded that as our customers have purchased through Eventbrite, Fatsoma and other ticket sales platforms we do not need consent in communicating through digital means with our customers about our related products and services. We believe that as a customer there is a legitimate interest in receiving this information which is noted as a lawful reason for processing data in Recital 47. In all communications there is an opt-out and the customer will have received an article 13 or 14 notice prior to receiving any communications at all.

We will keep the proposed replacement of The Privacy and Electronic Communications (EC Directive) Regulations 2003 and guidance from the ICO under review.

We are aware that consent under GDPR must be freely given, specific, informed and unambiguously given by a statement or a clear affirmative action and that we have to keep a record of each consent obtained for as long as we are using it. We do not currently believe that any of our processing of Personal Data, except for the sending of the commercial marketing, requires data subject consent.

7. Legitimate Interests

Recital 47 of the GDPR reads: “The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.”

We rely on legitimate interest as justifying much of our processing of Personal Data as we have assessed that the majority of our processing activity would be in the reasonable expectations of those we process data about. Our activities reliant on legitimate interest are  as follows:

Suppliers, and partners: Our suppliers and partners are not usually individuals so here we are dealing with the identifiable employees of our suppliers and clients who require us to deal with such individuals or self employed individuals. We require their personal data (email, office address, telephone numbers) to enable us to contact them in the context of their job. If an employee leaves a client or supplier, we remove their details from the CRM and other systems (or we would be communicating with the wrong person). They expect that we will hold their contact details for this purpose.
Customers: When individuals purchase products or utilise services through our trading company we have access to process this data to administer our contracted duties and send them carefully selected information about our products and services.
Affiliated Brands: We may AT time work with OR own ourselves, affiliated brands that maybe of interest to existing customers. Customers may from time to time receive information about these brands we work alongside with.

In all the above cases we believe that we have a legitimate interest in carrying out that processing and that the processing has no significant risk to the rights and freedoms of the individuals concerned.

8. Notices

As noted elsewhere we do not believe that GDPR should be interpreted as requiring an Article 13 or Article 14 notice to be sent to every data subject whose personal data we are processing. We do believe that such notices should be sent to:

Suppliers and clients once engaged with Festival Collection Limited

10. Processors

We have identified the following parties as data processors:

Google - In the provision of One Drive applications
Xero - In the provision of accounting software
Eventbrite - In the provision of ticketing services
Festicket - In the provision of ticketing services
Fatsoma - In the provision of ticketing services
Mailchimp - In the provision of Email Marketing Services
Shopify - In the provision of Email & Sales Marketing Services

The above parties either have a direct contract using Festival Collection Limited model contract or through GDPR compliant terms and conditions of use of service.

11. Communication & Data Policy

A customers privacy and right to not be spammed will always take priority over marketing preferences and targeted mailers.

Festival Collection Limited will never compromise our privacy promise in return for up-front monetary compensation.

People only receive announcements (email, push notifications, feed items) about events or affiliated brands if:

They have signed up with one of our ticketing agents and follow the specific brand.
They have purchased a ticket from one of our events or affiliated events .
They have signed up to direct or indirect marketing via the Sausage & Cider Fest website or a third party channel.
They have openly provided email addresses for e-correspondence.
They have opted in subject to the new GDPR compliance regulations.

All data stored and collected is subject to GDPR regulations, and Husky Events will not compromise on this.

12. How We Use Your Personal Data (Legal Basis for Processing)

Festival Collection Limited does not and will not disclose, share or sell your data without your consent, unless required to do so by law.

The purposes and reasons for processing your personal data are detailed below:

We collect your personal data in the performance of a contract and to provide you with our products and services.
We use your personal information to answer your queries and provide industry specific advice
We use your personal information to send you updates and run regular competitions.
We collect and store your personal data as part of our legal obligation for business accounting and tax purposes
We may also contact you for feedback on your use of our products, services or our website and may need to use your information to send important notices, such as the GDPR where there have been regulation/law revisions or changes to our terms, conditions and policies.
We collect your personal data for important event announcements and information, cancellations or rescheduling communications.
We collect your personal data for marketing purposes including electronic marketing.

13. Your Rights

You have the right to access any personal information that Husky Events holds or process about you and to request information about:

What personal data we hold
The purposes of the processing
The categories of personal data concerned
The recipients to whom the personal data has/will be disclosed
How long we intend to store your personal data for

If we did not collect the data directly from you, information about the source

If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to update/correct it as quickly as possible, unless there is a valid reason for not doing so, at which point you will be notified.

You also have the right to request erasure of your personal data or to restrict processing in accordance with the data protection law, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use.

If we receive a request for any of the above rights, we may ask you to verify your identity before acting on the relevant request; this is to ensure that your data is protected and kept secure.

14. Sharing and Disclosing Your Personal Information

We do not share or DISCLOSE any of your personal information without your consent, other than for the purposes specified in this notice, where there is a legal requirement or to enforce our terms and conditions.

15. Safeguarding Measures

Festival Collection Limited takes your privacy seriously and we take every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures and procedures in place to maintain the safety of your data.

16. Consequences of Not Providing Your Data

You are not obligated to provide your personal information to Festival Collection Limited, however, your personal information is necessary to ensure that we are able to deliver services and effective communication and in some instances we will not be able to provide services, products or reminder notifications without this information.

17. Lodging a Complaint

Festival Collection Limited only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority.

Information Commissioner’s Office Wycliffe House Water Lane WILMSLOW SK9 5AF 0303 123 1113

Appendix

Article 1 - Fatsoma Compliance Statement

Article 2 - Fatsoma Consumer Rights

Article 3 - Mailchimp Privacy Policy