This privacy notice was last updated on 23rd May 2018 and a pdf copy can be downloaded using the link at the bottom of this page.
1. Introduction
2. What is Graeme Reid?
3. Definitions
4. When we will use our policies and procedures
5. Explaining the legal bases we rely on
Consent
Contractual obligations
Legal obligations
Vital interests
Legitimate interest
6. What sort of personal data do we collect and when, why and how we use it?
When you visit our website
When you contact us
When you are our client
When you are employed by our clients
After you have contacted us, been a client or employed by our clients
7. How we protect your personal data
8. How long will we keep your personal data?
9. Who do we share your personal data with?
10. Where your personal data may be processed
11. What are your rights over your personal data?
An overview of your rights
Your right to withdraw consent rights
Where we rely on our legitimate interest
Direct marketing
12. How can you stop the use of your personal data for direct marketing?
13. Registration with the Regulator
14. Contacting the Regulator
15. If you live outside the UK
16. Any questions?
This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we will store and handle that data and keep it safe.
Graeme Reid is a sole trader business providing Professional Stage Management Services within the entertainment industry. It is not a limited company.
For ease of explanation and to avoid overcomplicating this privacy notice, when we use the following words, we mean the following;
Our client – the person who pays us for our work
Project – any work on which either of us carry out professional services, for example, theatre production, event, filming, etc.
Your employer – the person who pays you for your work
Your colleagues – other people who are paid by your employer
When we use these terms, within this document or any correspondence relating to it, we are not making reference to our or your employment, tax or national insurance status.
In the case of an unpaid project, for example, a charity event, we mean these terms to indicate the normal working practice that would be expected.
We will use our policies and procedures at all times, unless one of the following applies on a particular project;
We are an employee of our client, with Tax and National Insurance deducted at source by our client. In these circumstances we would not be operating as a sole trader business and would be contractually obliged to follow all of our client’s policies and procedures.
When, in accordance article 28 of the regulation, we are acting as a data processor on behalf of our client, who, in accordance article 24 of the same, is the data controller. In this situation we may also need to follow additional policies and procedures which we have agreed with our client.
In both situations, we would ordinarily expect that our client is also your employer and that we are both working on the same project.
The law on data protection, based on the General Data Protection Regulation and formerly the Data Protection Act, sets out a number of different reasons for which a company may collect and process your personal data, including:
In specific situations, we can collect and process your data with your consent. This may be when you have ticked a box to receive regular communications from us in a paper or electronic document or on our website. When collecting your personal data, we’ll always make clear to you which data is necessary in connection with a particular service.
In certain circumstances, we need your personal data to comply with our contractual obligations. For example, if we are providing Company Stage Management services on a project that you are employed on, then we may need your contact details and to pass them on to your colleagues on the project.
In certain circumstance we will need your personal data to comply with our legal obligations, for example, those required by Her Majesty's Revenue and Customs (HMRC).
In specific situations, we may need to disclose your personal data to protect life. For example, if you are unable to give consent and require urgent medical treatment, then we may disclose your name, date of birth, address, medical information and details you have given us of who should be contacted in an emergency.
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, maintaining our internal business records and company archives.
If you wish to change how we use your data, you’ll find details in the ‘What are my rights?’ section below.
Remember that if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you or your employer have asked for.
We may collect your IP address, cookies and location data.
We do this based on our legitimate interests.
We do this so that: we can identify who is engaging with us through our website; how they use our website; and to test, develop and improve our website.
We may collect your contact details, for example, your name, address, email address, telephone number and social media username.
We do this on the basis of our contractual obligations, our legal obligations and our legitimate interests.
We do this so that we may: respond to your booking, comments, complaints, feedback or questions; provide you with the best service; and understanding how we can improve our service based on your experience.
Handling information you send us enables us to respond. We may also keep a record of these to inform any future communication and to demonstrate how we communicated with you throughout.
We will collect copies of documents, emails and other correspondence you provide us, including signed contracts and payment information including bank account and card numbers.
We do this on the basis of our contractual obligation, our legal obligation and our legitimate interest.
We do this to: fulfil our contractual obligations to you, our client; and to protect you and our businesses from fraud and other illegal activities.
We will collect copies of documents, emails and other correspondence you or our client provide us, including signed contracts and financial information, such as, bank account details, card numbers, Unique Tax Reference (UTR), National Insurance (NI) Number and your Equity Pension Scheme (EPS) number.
We may also need to collect ‘special categories of personal data’, as defined under article 9 of the regulation, such as, race, ethnic origin, politics, religion, trade union membership; genetics; biometrics, health, sex life or sexual orientation.
We will do this on the basis of our contractual obligations, our legal obligations, vital interests and our legitimate interest. Additionally, when we need to collect ‘special categories of personal data’ we will do this for the reasons defined in paragraph 2a) consent, 2b) employment and/or 2c) vital interest of that article.
We do this to: fulfil our contractual obligations to our client; fulfil our client’s contractual obligations to you; protect and support your health and welfare; and to protect our client, yourself and our business from fraud and other illegal activities.
With your consent, we will use your personal data to keep you informed by email, web, text, telephone about relevant products and services including tailored special offers, discounts, promotions, events, competitions and so on.
Of course, you are free to opt out of hearing from us by any of these channels at any time.
To send you relevant, personalised communications by post in relation to updates, offers, services and products. We’ll do this on the basis of our legitimate business interest.
You are free to opt out of hearing from us by post at any time.
To send you communications required by law or which are necessary to inform you about our changes to the services we provide you, for example, updates to this Privacy Notice, product recall notices, and legally required information relating to your orders. These service messages will not include any promotional content and do not require prior consent when sent by email or text message. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.
To develop, test and improve the systems, services and products we provide to you. We’ll do this on the basis of our legitimate business interests.
To send you survey and feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. We have a legitimate interest to do so as this helps make our products or services more relevant to you.
You are free to opt out of receiving these requests from us at any time by contacting us.
We know how much data privacy and security matters to all our clients and their employees. With this in mind we will treat your data with the utmost care and take all appropriate steps to protect it, including, where possible and practicable;
We limit who within our business has access to your data
We shred paper records before disposal
Our physical records, backup disks, etc. are securely stored when not in immediate use
Our computers and mobile devices are all password protected
We use strong and unique passwords for our logins
We take advantage of two factor authentications to further secure our logins
Disk encryption is used to further protect the data we store and to limit meaningful access to it
We regularly monitor our systems for possible vulnerabilities and constantly review our security
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
We would ordinarily keep details of our projects for a minimum of seven years, as the Limitation Act 1980 places a time limit of six years on legal claims against contracts and Her Majesty's Revenue and Customs (HMRC) requires us to keep records of contracts, payments and invoices for seven years.
However, where we hold financial or contractual data relating to a project, we would ordinarily retain details of that project for one hundred years. This is because if there was a claim for underpaid pension contributions, there may, potentially, be no time limit on how far back may be claimed.
We will do this so that should any claim or query arise, we can fulfil our contractual obligations, our legal obligations and our legitimate interest.
In all in instances, we would ordinarily have destroyed paper records after seven years or earlier and only hold digital records, as set out previously in section 7 of this notice.
We sometimes share your personal data with trusted third parties. Circumstances may be as follows:
To have items delivered for a project
To share relevant information with your colleagues to allow them to carry out their work as required by your employer, our client
To allow you to gain access to a place of work, such as a rehearsal room, theatre or school
To allow us to arrange visas, tickets, travel and accommodation for you, on your behalf or on behalf of our client, your employer
Should that be necessary:
We provide only the information they need to perform their specific services
They may only use your data for the exact purposes we specify in our contract with them.
We work closely with them to ensure that your privacy is respected and protected at all times
Additionally, we may list the names of the colleagues we have worked on our projects, when these details were in the public domain, such as by inclusion in a programme, poster, official website or marketing campaign. We would do this on the basis of our legitimate interests.
Ordinarily your data will not be processed outside the UK and/or EU .
However, if you work on a project that requires us to travel and work overseas to deliver it, then it is likely that we will need to process your data in that country or territory, which may be outside the EU.
If we need to do this, we will do this with proper regard to the following articles of the regulation;
Article 46 – Transfers subject to appropriate safeguards
Article 48 – Transfers or disclosures not authorised by Union law
Article 49 – Derogations for specific situations – in particular paragraphs 1b), 1c) and/or 1f) which cover employment and vital interest.
You have the right to request:
Access to the personal data we hold about you, free of charge in most cases.
The correction of your personal data when inaccurate, incorrect, out of date or incomplete.
The right to deletion, for example when you withdraw consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end (such as the end of a warranty).
That we stop using your personal data for direct marketing (either through specific channels, or all channels).
That we stop any consent-based processing of your personal data after you withdraw that consent.
To do any of these, please contact us on privacy@gmreid.co.uk. If we decide not to action your request we will explain to you the reasons for our refusal.
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
You can stop direct marketing communications from us by contacting us by telephone, email, post or via social media.
We are not registered with the Information Commissioners Office (ICO) as we are exempt as we only process personal data for our core business purposes.
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us, regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
You can contact them by calling 0303 123 1113 or go online to www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites).
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
By using our services or providing your personal data to us, you expressly consent to the processing of your personal data by us or on our behalf. Of course, you still have the right to ask us not to process your data in certain ways, and if you do so, we will respect your wishes.
Sometimes we’ll need to transfer your personal data between countries to enable us to supply the goods or services you’ve requested. In the ordinary course of business, we may transfer your personal data from your country of residence to ourselves in the UK and to third parties located in the EU.
By dealing with us, you are giving your consent to this overseas use, transfer and disclosure of your personal data outside your country of residence for our ordinary business purposes.
This may occur because our information technology storage facilities and servers are located outside your country of residence and could include storage of your personal data on servers in the UK.
We will ensure that reasonable steps are taken to prevent third parties outside your country of residence using your personal data in any way that’s not set out in this Privacy Notice. We will also make sure we adequately protect the confidentiality and privacy of your personal data.
We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.
If you have any questions that haven’t been covered, please contact us on privacy@gmreid.co.uk