Aberdeen Performing Arts is committed to protecting your personal information and being transparent about what information we hold about you. Using personal information allows us to develop a better understanding of our customers and, in turn, to provide you with relevant and timely information about the work that we do – both on and off the stage. As a charity, it also helps us to engage with potential donors and supporters. The purpose of this policy is to give you a clear explanation about how we collect and use the information we collect from you directly and from third parties.
We will use the information that we collect about you in accordance with all the applicable laws concerning the protection of personal information. They are the General Data Protection Regulation 2016 and the Privacy and Electronic Communications Regulations 2003. This policy explains:
· What information we may collect about you
· How we may use that information
· In what situations we may disclose your details to third parties
· Information about how we keep your personal information secure, how we maintain it for you and your rights to be able to access or amend it.
Aberdeen Performing Arts is a private limited company by guarantee (company number SC238959) and a registered charity (charity number SC033733). Our catering, box office and commercial activities are run by a wholly owned subsidiary trading company, Aberdeen Performing Arts Trading Company Limited (company number SC254182). Aberdeen Performing Arts is a Creative Scotland Regularly Funded Organisation and also receives funding from the local authority. In addition, we have a number of project funding partners at any one time – from the public sector, business, trusts and sponsors. The rest of our income comes from sponsorships, donations and commercial activities such as the fees from ticket sales, conferences and events, catering and hospitality.
The charitable objectives for which Aberdeen Performing Arts is established are:
i) To present, provide or assist in the provision of facilities at reasonable cost for the performing arts, including but not limited to, music, opera, drama, contemporary and traditional dance and entertainment for the general public in the interests of social welfare and improving conditions of life;
ii) To advance the education of the public in the performing arts by presenting, promoting, sponsoring, supporting and assisting in the development of public interest in, and awareness of, the performing arts within the facilities and in the community through the use of outreach programmes, publications and other media promotions.
· To provide clear, honest and open information about how we use your data.
· To give you the choice about how we use your data.
· To use your data appropriately and in a way that would be reasonably expected by you.
· To only share your data with other organisations where you have given your consent for us to do so, or where we need to do so to fulfil our contract with you.
· To be accountable and responsible: to take active steps to protect your data from harm, and to have separate and enhanced procedures for the use of sensitive data (such as data relating to children or disability).
· To ensure our staff and partners (suppliers and artists) understand these principles and their responsibilities in delivering them.
You have the following rights related to your personal data:
· The right to withdraw consent at any time
· The right to request a copy of personal information held about you
· The right to request that inaccuracies be corrected
· The right to request us to stop processing your personal data
· The right to lodge a complaint with supervisory bodies such as the Information Commissioner's Office or Fundraising Regulator
· The right to erasure of personal data
· The right to restriction of processing
· The right to data portability
Aberdeen Performing Arts is the data controller for any data we hold about you. We collect various types of information and in a number of ways:
We will store personal information you give us, such as your name, your email address, postal address, and telephone number, when you register on our website, buy tickets or make a donation. We will also store a record of your purchases and donations, including what you have purchase, the value of the purchase, and when the purchase was made.
We collect information about how you interact with our content and ads when you visit our website. When we send you a mailing, we store a record of this, and in the case of emails, we keep a track of which ones you have been sent and whether you open them or click on any links in them. In this way, we can make sure we are sending you the most relevant information. We also use social media to broadcast messages and updates about events and news. On occasion we may reply to comments or questions you make to us on social media platforms. You may also see adverts from us on social media that are tailored to your interests. Depending on your settings or the privacy policies of social media services like Facebook or Twitter, you might give third parties permission to access information from those accounts or services.
Very occasionally, we may ask for information about you from third parties. For example, we may use third party research companies to provide general information about you from publicly available data.
Data protection law recognises that some categories of personal information are more sensitive, such as medical information, race, religious beliefs and political opinions. We do not usually collect this type of information about our customers unless there is a clear reason to do so. For example, we would collect medical information about participants in our creative learning classes and workshops. In some cases, we might collect observational data about our audiences when we are asked to do so by bodies such as the Scottish Government – in this example, we would not associate the information with any individual person. Anysuch information is only collected where necessary, is subject to enhanced security measures, used only for the purposes agreed, and erased when no longer necessary. Where we need to process any sensitive data that specifically relates to you as an individual, we will obtain your specific consent for this.
Aberdeen Performing Arts may process your data using one of three legal bases.
Performance of a contract:When you make a purchase from us or make a donation, you are entering into a contract with us. We need to process and store your data to perform this contact. For example, we may need to contact you by email or telephone in the case of a show cancellation or if there is a problem with your payment.
Legitimate interest:We collect and process your personal for purposes that are in our legitimate business interests. However, we only do this if there is no overriding prejudice to you by using your personal information in this way. We describe below all situations where we may use this basis for processing.
Explicit consent:For any situations where the two bases above are not appropriate, we will instead ask for your explicit consent before using your personal information in that specific situation.
Aberdeen Performing Arts wishes to communicate with you about the work that we do in ways that you find relevant, timely and respectful. To do this, we use the data that we have stored about you, such as what events you have booked for in the past, as well as any preferences you may have told us about.
We use our legitimate business interests as the legal basis for communications by post and email. In the cast of postal mailings, you may object to receiving these at any time using the contact details at the end of this policy. In the case of email, we will give you an opportunity to opt out of receiving them during your first purchase with us. If you do not opt out, we will provide you with an option to unsubscribe in every email that we subsequently send to you. Alternatively, you can use the contact details at the end of this policy.
In some circumstances, we may contact you about our work by telephone, but only when you have given us your explicit consent to do so. Please bear in mind this does not apply to telephone calls that we may need to make to fulfil any contractual obligations (as above).
In addition to direct marketing, Aberdeen Performing Arts also processes personal information in the following ways that are within our legitimate business interests:
· To ensure that the content and timing of communications that we sent you are as relevant to you as possible.
· To identify and prevent fraud.
· To improve our online services by analysing how you use our website and the content and ads you interact with.
· To provide us with information about you that will help us to communicate in a relevant way with you, in particular when we are approaching you about potential philanthropic support. We may use profiling techniques or third party wealth screening and insight companies. This information is compiled using publicly available data about you.
· To invite peers and contacts to events we hold, such as opening nights.
· To ensure we don’t send unwanted communications to people who have opted out.
· To collate and respond to customer comments.
· To log any customer incidents that resulted in an incident report form being created and contact if required.
· To keep registration lists, medical information, and emergency contact information for participants in our creative learning classes and workshops.
· To record CCTV footage to keep our venues safe and secure.
In all of the above cases, we will always consider the impact of any communication on your fundamental rights and freedoms. You always have the right to object to any of this processing at any time. If you wish to do this, please use the contact details at the end of this policy.
We will not share any personal details with any other third parties without your agreement, unless required in order to fulfil our contract with you, or allowed by law. There are certain circumstances under which we may disclose your personal information to third parties. These are as follows:
· When it is necessary for them to be able to provide you with products or services that you have requested.
· To our own service providers, who process data on our behalf and on our instruction as the data controller. These providers include our Ticketing and Events Systems providers, Email and Mail distribution services. We have agreements in place with each to ensure that your data is secure at all times and cannot be accessed or used for any other purpose. We also require that these third parties comply strictly with our instructions and with current data protection laws.
· Where we are under a duty to disclose your personal information to comply with any legal obligation, for example, to the police, regulatory bodies or legal advisors.
· To specific named visiting companies whose performances you have attended. In these cases, we will always ask you for your explicit consent before doing so. We have specific data sharing agreements in place with the following cultural partners: Aberdeen Festivals, BBC Scottish Symphony Orchestra, Royal Scottish National Orchestra, Scottish Ballet, Scottish Chamber Orchestra, Scottish Opera, You should check their Privacy Policies when you share your information to understand fully how they will process your data.
· We may share personal information with other organisations, such as Culture Republic and Purple Seven, who use this to analyse ticket sales for national and regional research into patterns of arts attendance in Scotland. This assists with reporting to funders and strategic planning, helping us to make better business decisions. Your personal data is never used by them to contact you, nor passed or sold on to any other agencies or companies, and we have agreements in place to ensure this.
Cookies are small text files that are automatically placed onto your device when you visit our website. This means that a website will remember you and enable online transactions. We use “cookies” to help us make our site – and the way you might use it – a better experience for you. It also helps us understand how you use our website, where we can make improvements and how best to tell our audiences about events they might be interested in.
If you use a credit or debit card to purchase from us or to make a donation, we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). We use Secure Socket Layer (SSL) encryption for all your transactions with APA. This system encrypts all your personal information, including credit card number, name, and address, so that it cannot be read if intercepted by a malicious third party.
We optionally allow you to store your card details for use in a future transaction. This is carried out in compliance with PCI-DSS and in a way where none of our staff members are able to see your full card number. We never store your 3- or 4-digit security code.
We will retain your data for as long as is legally or practically necessary for our business. We will store all the purchases you make under a single, unique customer recordwhere possible. If there are aspects of your record that are inaccurate or that you would like to remove, you can usually do this by logging into your account through our website. Alternatively, please use the contact details at the end of this policy. Any objections you make to any processing of your data will be stored against your record on our system so that we can comply with your requests. Once the necessity to keep your information is past we have a regular programme of data suppression and deletion. This ensures that your data is not held indefinitely on our systems.
Aberdeen Performing Arts takes information security very seriously. Your data is always held securely. We put in place appropriate safeguards (both in terms of the technologies we use and the policies and procedures we publish) to keep your data as secure as possible. For example, access to customer information is strictly controlled and can only be accessed by people who need it in order to do their job. Certain data, for example sensitive information, is additionally controlled and is only made visible to members of staff who have a reason to work with it. We will ensure that any third parties we use as data processors on our behalf do the same.
Where personal data must be transferred outside of the European Economic Area, we ensure that adequate security measures are in place. Where we transfer data to North America, with providers such as, but not limited to AudienceView (our ticketing software supplier), Facebook and Twitter, we ensure they comply with EU law or are registered under the EU-US Privacy Shield. You can find out more about Privacy Shield at www.privacyshield.gov/welcome
If you have any queries about this policy, how your data is used, or if you wish to be removed from any communications or data processing activities, please contact the Data Protection Officer:
By mail: Aberdeen Performing Arts, His Majesty’s Theatre, Aberdeen, AB25 1GL
By email: email@example.com