Pentabus is committed to protecting your personal information and being transparent about the information we hold, whether you are a collaborator, audience member, job applicant, customer, website visitor, donor or a participant in one of our workshops.
The purpose of this policy is to provide a clear explanation about how Pentabus collect, hold process and store your information and the measures we have in place to keep it safe and secure, whether it is collected or provided online, by phone, email, in person, by letter or through social media.
1. Contacting Pentabus
For the purpose of the GDPR (General Data Protection Regulation, 2018) the data controller is Pentabus Arts Limited, trading name Pentabus, and we are a Registered Charity in England and Wales. If you want to know what information we hold about you or if you have any other queries in relation to this Privacy Notice, our contact details are as follows:
Postal Address: The Old School, Bromfield, Shropshire, SY15 6PP
Email: email@example.com FAO Catrin John, Executive Director.
2. Personal Information
Pentabus collects, holds and processes personal data from our employees, volunteers, artists, creative teams, workshop leaders, job applicants, workshop participants, donors, Friends, enewsletter members and audience members.
When we say personal data or personal information, we mean the details that you may provide about yourself and any information which identifies you, such as your name, address, email address, telephone number, country of residence or any photographs.
We do hold some sensitive information when there is a clear reason for doing so, for example if you participate in our workshops, we may need to know about your health.
As an Arts Council England National Portfolio Organisation (NPO), certain funders may require us to collect information about gender, ethnicity, religious beliefs, socio-economic background or sexuality, which we will also collect anonymously from job applicants. We will keep this information securely in password protected locations, only accessible to relevant staff members. We only retain this information for as long as required to report on our work to our funders and Arts Council England, before destroying/deleting. While collecting and holding this information, we will also anonymise it wherever possible
3. Collecting your Information
We may collect personal information about you when you ask about our activities; register and participate in workshops or events; make a donation or become a Friend or supporter; volunteer for us; apply for a job with us; sign up for our e-newsletter; contact us online, by phone or in writing or collaborate with us on any of our productions or projects.
Most of the personal information we hold is provided directly from the person themselves, but some data could be provided by third parties such as referees, workshop leaders or managers or partner venues.
We will occasionally share personal data with other organisations where it is of legitimate interest, such as sharing production contact lists with venues hosting our shows.
Third party services may also collect information on our behalf such as Just Giving, Go Cardless and Enthuse (for processing donations and memberships); Eventbrite (for administering events) and Mailchimp for our enewsletter sign up. These companies will also have their own privacy statements.
Pentabus has social media accounts on Facebook, Instagram, Twitter, YouTube, Vimeo, Soundcloud, SnapChat and LinkedIn. Depending on your settings or the privacy policies for these sites, by connecting with us on any of these channels you might give us permission to access your information on those accounts or services.
We also may collect an automatically populated IP address when you use our website or email service. This public IP address is a unique number which allows a computer, group of computers or other internet connected device to browse the internet. The log file records the time and date of your visit, the pages that were requested, the referring website (if provided) and your internet browser version. This anonymous information is collected to help diagnose and manage the website, to audit the geographical make-up of users, and to establish how they have arrived at the website.
We are a registered charity (no: 287909) and rely on voluntary contributions from our audience and other donors. If you are a donor we may use a number of basic research tools to estimate your potential interest in supporting us further.
We know that our donors would expect us to have ascertained a level of interest and considered the appropriateness of a request for donations before approaching them. We therefore research some of our customers and supporters and occasionally potential supporters to find shared interests. This research may include information we hold on them and publicly available information (for example, through social media, Companies House and the Charities Commission), where they live, their age and similar demographics. In some cases, we will rely on legitimate interest for processing data of potential supporters; this information will help us meet our obligations to protect the charity from financial fraud and risk.
4. How we use your information
We will only use your information for the following purposes:
- To provide you with information about our online content or activity that you have agreed to receive.
- For marketing purposes where you have specifically consented to receive marketing communications from us.
- For recruitment purposes.
- To produce and facilitate touring theatre productions and workshops with host venues and co-producers.
- For fundraising purposes where you have specifically consented to receive fundraising communications from us.
- To process online payments and set up direct debits.
- To claim Gift Aid to fulfil sales and purchases.
- To communicate with participants of our events and workshops about event details.
- For internal record keeping.
- To invite you to participate in surveys or research.
- To develop aggregated data for analysis and reporting to funders.
- To analyse and improve the activities and content offered.
Pentabus will never share, sell, rent or trade your personal information to any third parties for marketing purposes.
Some of our service providers may have access to your data in order to perform services on our behalf – payment processing is a good example of this. We make sure anyone who provides a service for Pentabus enters into an agreement with us and meets our standards for data security. They will not use your data for anything other than the clearly defined purpose relating to the service that they are providing.
Additional information for job applicants, employees, freelancers and artists:
If you apply for a role with Pentabus, we will hold the personal information you provide to process your application and we may undertake monitoring of recruitment statistics as required by employment and data protection law.
If we want to disclose information to a third party, for example where we want to take a reference up or obtain “disclosure” from the Disclosure and Barring Service, we will not do so without asking you beforehand, unless the disclosure is required by law.
If you apply to work with us we’ll only hold your data for the purposes of that application. We won’t hold your personal information for any longer than is necessary for the purposes of that application, unless you give us permission to do so.
5. Security Measures
We take the security of your data seriously. All digital personal information has appropriate technical controls in place to protect your data; any sensitive information is kept encrypted or password protected locations and personal information is deleted when no longer required for the original purpose.
Hard copies of personal information are stored in locked locations with access limited to relevant staff only.
Our network is protected and routinely monitored. We regularly undertake reviews of who has access to what information to ensure that access to personal information is restricted and appropriate.
Where we use external companies that may process data on our behalf we will check that these companies comply with the law and our policy before working with them.
We will only share your data where we have your explicit and informed consent, unless we are required to disclose your details to the police, regulatory bodies or legal advisors for a lawful basis.
If Pentabus are responsible for personal data which is lost, stolen or hacked, we have a duty to report this breach to the ICO within 72 hours of becoming aware of it. If the breach is “high risk” and likely to have an impact on the individuals affected, we will inform them as soon as possible.
Pentabus is not responsible for the privacy notices and practices of other websites even if accessed using links from www.pentabus.co.uk and recommends that you check the policy of each website you visit and contact its owner or the Data team if you have any concerns or questions.
Despite all our precautions, no data transmission over the internet is 100% secure. So, we cannot guarantee the security of any information which you disclose to us and so wish to draw your attention to the fact that you do so at your own risk.
6. Retention of your data
We regularly review the length of time we keep personal data, and will only keep your information for as long as required to complete the original purpose of collection. If required to report on employees, attendees of workshops or productions for funding purposes, we will retain the information up to the point where we have reported the relevant information to our funders or Arts Council England.
Unsuccessful job applicants will have their data deleted after three months after the appointment has been made. If a candidate was second choice for a role, we may retain their information until the probation period has been completed by the candidate appointed.
Pentabus maintain a retention schedule to track personal information held by the company and to ensure that information that is no longer required for its original purpose is securely deleted in a timely manner. This allows us to track documents which may need to be retained for longer; for example, HR documents for employees must be retained for six years after employment ends for legal reasons.
7. Your Right to Access your Data
You have the right to request the information we hold about you at any time by submitting a written Data Subject Access Request. We will require proof of ID before releasing any information.
We will provide you with a description or copies of your information held by Pentabus within 30 days, unless your request is particularly complex, in which case it may take up to 3 months.
8. Your Right to Correct Incorrect Information and Your Right to Be Forgotten
You have the right to keep your personal data accurate and up to date. If you have reason to believe that Pentabus holds incorrect or out of date information about you, please make a written request by contacting firstname.lastname@example.org and we will respond within 30 days regarding your request to rectify, erase or destroy that data.
You have the right to be forgotten. If you would like your personal data held by Pentabus to be erased, please make a written request by contacting email@example.com We will respond within 30 days.
We will erase the data as requested if it is no longer necessary for the purpose it was originally collected, or if you initially consented to us holding the information and have now withdrawn consent, if the information was collected and retained on a legitimate interest basis which no longer applies or we need to comply with a legal obligation.
The right to be forgotten does not apply when the information needs to be retained to perform a task in the public interest, comply with a legal obligation, or to exercise the right of freedom of expression and information, or for the establishment, exercise or defence of legal claims. The right will also not apply in cases where processing is required for public health purposes in the public interest.
Other reasons why a request to be forgotten may be denied is if it is manifestly unfounded or excessive or whether the request is repetitive in nature.
9. Your Right to Complain to the ICO
If a request is denied, we will inform you of this within 30 days and tell you the reasons we are not taking action. We will also inform you of your right to make a complaint to the ICO or Charities Commission, and your ability to seek to enforce the request through legal action.
10. Privacy Notice Review
We regularly review this Privacy Notice to ensure that it is up to date and fit for purpose. We will notify you about any significant changes to the way we treat personal information by sending a notice to the primary email address you have provided or by placing a prominent notice on our website.
Last reviewed October 2020