Purpose of policy
We care about our relationships with all visitors, participants and supporters and we are committed to protect any personal data we collect from you, be explicit about what purposes we are using it for, and make it easy for you to be in charge of your own data.
Using personal information allows us to develop a better understanding of our audiences and in turn provide you with relevant and timely information about the work that we do. As a charity, it also helps us to engage with potential donors and supporters. We use your information in accordance with all applicable laws concerning the protection of personal information. From May 2018 data protection and privacy law is covered by the General Data Protection Regulation (GDPR).
The purpose of this policy is to clearly explain:
- What information we may collect about you
- How we may use that information
- In what situations we may disclose your details to third parties
- Information about how we keep your personal information secure, how long we maintain it for and your rights to be able to access it
In all instances the data controller of your personal information is Centre for Chinese Contemporary Art Ltd. (otherwise referred to here as ‘CFCCA’)
If you have any queries regarding this policy or to request details about the data we hold please contact us by email at email@example.com and label this communication as private and urgent. Please note, when contacting the team for assistance the receiver may need to authenticate your identity before fulfilling your request. This is to protect you and any information we hold about you.
Who we are
Centre for Chinese Contemporary Art Ltd. (CFCCA) is a charity funded by Arts Council England as well as various trusts, foundations and individual donors and supporters. Our registered charity number in England and Wales is 518992 and we are also registered as a company in England and Wales under registration number 2137427.
We collect various types of information and in a number of ways which are detailed below. Data may be shared by departments within CFCCA in order for us to undertake a range of communication and evaluation activities; either electronically, in print or through other channels. Only when we have your explicit consent to do so will we share your personal information with third parties, for example with our funders for evaluation and reporting purposes.
Information you give us
When you subscribe to mailing lists or other marketing communications, apply for an opportunity, make an enquiry, a purchase, or a donation, we’ll store the personal information you give us. This might include your name, email address, postal address, telephone number and card details. We will also store a record of any financial transaction conducted by CFCCA; for example the amount, what it was for, the date received.
Information about your interactions with us
When you visit our website, we collect information about how you interact with our content and ads. When we send you a mailing we store a record of this, and in the case of emails we keep a record of which ones you have opened and which links you have clicked on.
Information from third parties
Occasionally we may use the profiling services provided by trusted third party organisations to provide general information about our stakeholders, compiled using publicly available data. We use tools like this to assist us with providing targeted information and improve our services. We also gather information from publicly available third party resources, e.g. directories or charity registers, to assist us with identifying new and potential stakeholders.
Sensitive personal data
Data Protection law recognises that certain categories of personal information are more sensitive, such as health information, race, religious beliefs and political opinions. We do not usually collect this type of information about our audiences unless there is a clear reason for doing so. As an example, we may collect health information to help us identify whether we have a duty to make a reasonable adjustment for participants to access a specific programme or event.
We collect information in order to:
- provide and manage services such as attendance at free and charged events
- deliver our responsibilities in regard to a contract e.g. venue hire or other paid-for supply of services
- manage contact with, and provide information to, stakeholders
- communicate news about CFCCA including events and invitations
- administer donations, including Gift Aid
- understand who our audiences are to improve our services, or to provide evaluative information to third party funders or programme partners (we will only share information with third parties if you have expressly given your consent for us to do so)
- identify potential donors and sources of funding for, amongst other activities, learning and engagement, talent development, capital projects and our artistic programme
- monitor equality of opportunity
- provide an appropriate environment, schedule, or level of support to participants in our activities
- respond to emergency situations appropriately for participants in our activities
There are three legal bases under which we may process your data:
When you make a purchase from us or make a donation to us, you are entering into a contract with us. In order to perform our duties to deliver this contract we need to process and store your data. For example we may need to contact you by email or telephone in the case of cancellation of an event, or in the case of problems with your payment.
Legitimate business interests
In certain situations we collect and process your personal data for purposes that are in our legitimate organisational interests. However we only do this if there is no overriding prejudice to you by using your personal information in this way.
With your explicit consent
For any situations where the two bases above are not appropriate, we will instead ask for your explicit consent before using your personal information in that specific situation.
We aim to communicate with you about the work that we do in ways that you find relevant, timely and respectful. To do this we use data that we have stored about you, which might include events you have attended in the past, or any preferences you may have told us about.
We use our legitimate organisational interest as the legal basis for communications by post and email. In the case of postal mailings, you may object to receiving these at any time using the contact details at the end of this policy. In the case of email we will provide you with an option to unsubscribe in every marketing email that we send you, or you can alternatively use the contact details at the end of this policy.
We may also contact you about our work by telephone however we will always get explicit consent from you before doing this. Please bear in mind that this does not apply to telephone calls that we may need to make to you related to your purchases or contract with us (as above).
Other processing activities
We may analyse data we hold about you to ensure that the content and timing of communications that we send you are as relevant to you as possible. We may analyse data we hold about you in order to identify and prevent fraud. In order to improve our website we may analyse information about how you use it and the content and ads that you interact with. We may use profiling techniques or third party wealth screening and insight companies to provide us with information about you that will help us to communicate in a relevant way with you, in particular when we are approaching you about potential philanthropic support. Such information is compiled using publicly available data about you.
In all of the above cases we will always keep your rights and interests at the forefront to ensure they are not overridden by your own interests or fundamental rights and freedoms. You have the right to object to any of this processing at any time. If you wish to do this, please use the contact details at the end of this policy. Please bear in mind that if you object this may aﬀect our ability to carry out tasks above that are for your benefit.
There are certain circumstances under which we may disclose your personal information
to third parties. These are as follows:
- To the subsidiaries described above when it is necessary for them to be able to provide
you with products or services that you’ve requested.
- To our own service providers who process data on our behalf and on our instruction (for example our ticketing provider). In these cases we require that these third parties comply strictly with our instructions and with data protection laws, for example around security of personal data.
- Where we are under a duty to disclose your personal information in order to comply
with any legal obligation (for example to government bodies and law enforcement
- To funders, programme partners and co-commissioners involved in an event you have attended. In these cases we will always ask for your explicit consent before doing so.
Cookies are small text files that are automatically placed onto your device by some websites that you visit. They are widely used to allow a website to function (for example to keep track of your basket) as well to provide website operators with information on how the site is being used.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Our website uses Google Analytics to collect statistical data – please visit Google Analytics Terms of Service for full details.
Your debit and credit card information
If you use your credit or debit card to purchase from us or to make a donation, we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).
You can find more information about this standard here https://www.pcisecuritystandards.org/ and in our Credit Card Security Policy – a copy of which can be provided on request.
Payments taken over the telephone are carried out in compliance with PCI-DSS and card details provided verbally are not stored. We never store your 3 or 4 digit security code.
Maintaining your personal information
Information is retained for as long as necessary for the purpose for which it is required, and in line with CFCCA’s Retention Schedule, which has been informed by legal and regulatory requirements or guidance.
We want to be sure that we have the most up-to-date information for you. If you discover that we have outdated information, such as address, e-mail address or change of name, please contact us so we can update our records.
Any objections you make to any processing of your data will be stored, retaining just enough information to ensure your preferences are respected in the future.
Security of your personal information
We will never sell your personal data or provide it to a third party for their marketing purposes without your consent. We will put in place appropriate safeguards (both in terms of our procedures and the technology we use) to keep your personal information as secure as possible. We will ensure that any third parties we use for processing your personal information do the same.
Where your information is stored
Your information is stored on secure, password protected databases and networks. Access to the information is given only to staff with the appropriate authorisation. Data is held mainly in the United Kingdom with some on servers within the European Union.
CFCCA operates CCTV camera surveillance throughout the building. The system is in place for the purposes of reducing the threat of crime generally, protecting the premises and helping to ensure the safety of our staff and visitors. The images are stored securely. Images may be shared with Greater Manchester Police if required for the investigation of crime.
CFCCA uses photography and film at events to promote its activities, build new audiences and report to funders. These images may be used on our website, social media channels and in written reports to funders. Any events being photographed will be clearly signposted to make the public aware. You may request not to be photographed. We will seek parental consent to take photographs of children and young people under the age of 18.
Your rights to your personal information
You have a right to request a copy of the personal information that we hold about you and to have any inaccuracies in this data corrected or all or part of it removed from our records. Please use the contact details at the end of this policy if you would like to exercise this right.
You can also opt out at any time via the unsubscribe link included in email bulletins or by contacting us via the details below. We undertake to respond to your request within one month of receipt.
Contact details and further information
Or send an email to firstname.lastname@example.org
Please label any communications as private and urgent.
Please note, when contacting the team for assistance the receiver may need to authenticate your identity before fulfilling your request. This is for your safety and ours.
If you wish to find out more about your rights and the legislation, the supervisory authority in the UK is the Information Commissioner’s Office and their telephone helpline can be contacted on 0303 123 1113.
If you are dissatisfied with CFCCA’s response to your request for access to your data, or handling of your request to rectify or erase your data, you may report your concerns to the Information Commissioner’s Office on their website: https://ico.org.uk/concerns/