1. PRIVACY COMMITMENT
Lincoln Performing Arts Centre and the www.lpac.co.uk website is owned and operated by University of Lincoln, Bayford Pool, Lincoln LN6 7TS.
The following complies with General Data Protection Regulation (GDPR).
This policy may change from time to time so please check it periodically.
This update is current as of 21 May 2018.
Please take a look at sections below and email email@example.com if you have any further enquiries around the usage and collection of your Personal Data.
2. ABOUT US (THE DATA CONTROLLER)
The Data Controller means the person or organisation who decides the purposes for which and the way in which any personal data is processed.
At Lincoln Performing Arts Centre the Data Controller is University of Lincoln.
You can contact us by emailing firstname.lastname@example.org or you can write to us via:
Information Compliance Officer
University of Lincoln
This section explains the sort of data we might collect about you.
3.1 The Data We Collect
In order to conduct and manage our business we collect, retain and use Personal Data and Sensitive Personal Data, referred to in this policy as “Personal Data”. We only collect, process and maintain the minimum necessary in order to provide our services effectively.
This information might be provided by you when using one of the services such as purchasing tickets, using our website, creating an account or subscribing to our email and postal marketing lists but it can also be collected from other sources, including third parties that you have authorised to pass on your information to us, or from data in the public domain.
Personal Data is information that relates to you (whether you are directly or indirectly identifiable), such as (but not limited to) your name, address, email address, telephone number, country of residence, date of birth, credit and debit card details, purchase history, location data, or online identifier e.g. IP Address and Cookies.
Special Category Data (sometimes called Sensitive Personal Data) refers to the above but specifically includes genetic data and biometric data, such as (but not limited to) religious or philosophical beliefs and political opinions, racial or ethnic origin, biometric data (e.g. photo in an electronic passport).
3.2 Retention of Your Personal Data
University of Lincoln retains your Personal Data only for as long as is necessary to fulfil its business needs and/or legal obligations. This period will vary depending on the service or function being performed but adheres to retention schedules that are regularly reviewed.
When the retention period is reached we may review whether we still need to retain it or update it. When we consider that the Personal Data is no longer needed for any purpose it will be securely deleted.
If you decide to that you no longer wish to do business with us we may keep some basic information so that we can confirm that the relationship existed – and that it has ended – as well as some of its details. This information may then be deleted in accordance with the appropriate retention policy.
For more information about your rights, such as the Right To Erasure please see Section 7 below.
3.3 Security of Your Personal Data
We take every precaution to protect your Personal Data.
We have put in place appropriate safeguards (both in terms of our procedures and the technology we use) to keep your personal information as secure as possible.
We will ensure that any third parties we use for processing your personal information do the same.
We will not transfer, process or store your data anywhere that is outside of the European Economic Area.
4. HOW WE USE YOUR PERSONAL DATA
In order to process your Personal Data we must have a lawful basis to do so. When we process your data we either do so to fulfil contractual obligations, you have given us your consent, it is in our legitimate interest, or we have a legal obligation to do so.
One of the most common occasions when we might process your Personal Data is when we need to do so in order to fulfil a contract. If you purchase tickets through our box office system, for example, we will process Personal Data including your name, address, email address, phone number and credit/debit card details. To fulfil our contract we may also send you order confirmations and pre-show information by email or post, or we might telephone you about your order.
In order to process a transaction your Personal Data including card details may be passed to third party service providers who act as Data Processors under instruction from us (see Section 5 below).
All of our Direct Marketing communications vial email and electronic messenger services are processed on the lawful basis of Consent.
When you opt in to receive direct marketing communications from us you agree to receive targeted news and information about events and activities (including fundraising), which we feel might be of interest to you.
For example, this communication might be about a new visit by a comedian you have seen before, news about our participatory activities, an advert about our membership scheme, a request for a donation or information about cultural activities taking place in Lincoln
You also have the opportunity to opt in to being contacted directly by specific visiting companies. When you opt into this you agree to your Personal Data being shared with a third party data controller (see Section 5 below).
You can withdraw consent at any time by logging into your Customer Account and updating your Data Preferences, clicking unsubscribe on a direct marketing email or by contacting us verbally or in writing via email@example.com or via the Information Compliance Officer at the address in section 2 above (see section 7.9 below).
4.3 Legitimate Interest
Legitimate Interests means that we can process your Personal Data if we have a genuine and legitimate reason and we are not harming any of your rights and interests.
Generally this means that when you provide Personal Data, unless stated otherwise, we will use this information for our legitimate interests to carry out our business of operating a theatre and arts organisation.
Before doing this, though, we will also carefully consider and balance any potential impact on you and your rights.
These are what we consider to be core ‘Legitimate Interests’, with some examples of the types of processes we might use to achieve them.
- Direct Marketing: Postal Communications: We will send you postal marketing that includes targeted news and information about events and activities (including fundraising), which we feel might be of interest to you. Promotions: administering promotional activities including competitions.
- Fundraising: We may approach you with requests for financial or other forms of support to help us achieve our mission, including the sale of memberships or other loyalty schemes. We may also use a number of basic research tools to estimate your potential interest in other fundraising opportunities, membership levels or other ways of supporting us further and match them to your account (see Section 4.4 below).
- Ordering: In order for us to process an order, payment has to be taken and Personal Data collected, such as name, delivery address and telephone number, credit and debit cards.
- Your Best Interest: Processing your Personal Data to protect you against fraud when transacting on our website, and to ensure our websites and systems are secure.
- Personalisation: Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of existing, lapsed or potential customers or supporters.
- Analytics: To process your Personal Data for the purposes of customer analysis, assessment, profiling and segmentation and direct marketing (including targeted digital display adverts), on a personalised or aggregated basis, to help us with our activities and to provide you with the most relevant information. Please see Customer Profiles – Section 4.4 and Your details on the Web – Section 5, below
- Research: To determine the effectiveness of promotional campaigns and advertising and to develop our products, services, systems and relationships with you.
- Documentation: We may use photographs, film/videography, sound recording, quotations, feedback and survey responses to document our activities for promotional purposes and for journalistic, academic, artistic and literary functions.
- Due Diligence: We may need to conduct investigations on supporters, potential customers and business partners to determine if those companies and individuals have been involved or convicted of offences such as fraud, bribery and corruption.
- Administration: Of your Customer Account, in order to ensure your Personal Data is accurate and up-to-date we may contact you to update our records. From time to time we will also need to send you our website, policy and service announcement updates; for HR purposes, such as the collection and storage of CVs and applications; Health & Safety, such as recording accidents. Customer Care – responding to customer feedback.
- Data Protection: We will also hold information about you so that we can acknowledge your relationship with us and respect your preferences for being contacted by us.
When we process your Personal Data for our legitimate interests, we will consider and balance any potential impact on you and your rights under relevant legislation.
Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to do so by law). For more information on your rights see Section 7 below.
4.4 Customer Profiles
In accordance with our legitimate interests we may make use of profiling and screening methods to identify potential new customers and supporters, produce more relevant communications, target digital advertising and provide a better experience for our customers and supporters. Processing your Personal Data for profiling can help us target our resources more effectively by gaining an insight into the background of our customers and supporters, helping us to build relationships that are appropriate to your interests and capacity to engage and/or donate.
To do this we may use third party Data Processors. We may also use additional sources of data to increase and enhance the information we hold about you. This may include (but is not limited to) obtaining details of changes of address, date of birth, telephone numbers and other contact details, information related to your wealth, and demographic data generated through geo-demographic tools, such as Audience Finder and MOSAIC, survey results and psychographic data. It may also include information from public registers and other publicly available sources such as Companies House, newspapers and magazines.
If you wish to object to the processing of Personal Data in any of the ways listed above or you simply have questions about this please contact us via firstname.lastname@example.org or the Information Compliance Officer at the address in Section 2 above.
4.5 Children and Young People Under 18
Lincoln Performing Arts Centre champion’s children and young people under 18 engaging with the arts. In order to help us make it easier for them to do so this may involve the collection and processing of Personal Data.
If you are under 18 then we are particularly keen to make sure that you are aware of the risks involved in passing on your Personal Data. To make it easier to understand how we process your information we have created this document [link to document]
When ordering from us you are entering into a contract and this means we may need to process your Personal Data. If you are unsure what you are consenting to please speak to a member of the Lincoln Performing Arts Centre team or email email@example.com with your question.
We will generally process your Personal Data in the same way as we would for someone over the age of 18 but we have a responsibility to protect you from risks that you may not fully appreciate and from consequences you may not fully envisage. We’ve identified the following areas where we might process your Personal Data differently.
Using our legitimate interests to process your Personal Data. This means we will process your data because we have a necessary business reason to do so but in a way that does not conflict with your rights. We always carry out assessments and take into account the need to take extra care when processing your information in this way. We may still directly market to you and use your details for profiling and segmentation but we will also consider your age when communicating with you to avoid sending something content that is inappropriate.
When seeking consent to process your Personal Data for direct marketing via electronic communication, if you are under 13 we will need to ensure we have your parent or guardian’s consent as well. As a parent or guardian we encourage you to be aware of the activities in which your children are participating, both offline and online. If your children voluntarily disclose information, this may encourage unsolicited messages. We suggest that you discourage your child from providing any information without your consent.
5. SHARING YOUR PERSONAL DATA
We will never sell or rent your Personal Data to other organisations.
There are, however, certain circumstances under which we may disclose your Personal Data to third parties.
- Where we have your consent to do so.
- You have explicitly consented to sharing your Personal Data with specific named visiting companies whose performances you have attended.
- You have explicitly consented to sharing your Personal Data with specific named promoters, organisations or venues whose performance you have attended.
- When we use other companies to provide services on our behalf, e.g. processing, mailing or delivering orders, answering customers’ questions about products or services, sending mail and emails, customer analysis, assessment and profiling, targeted digital display advertising, and when using auditors/advisors or processing credit/debit card payments.
- When the data is anonymised and it is submitted to support industry benchmarking and research such as that commissioned by Arts Council England.
- It is to other departments of University of Lincoln including our subsidiaries (i.e. the companies owned by University of Lincoln).
- If we merge with another organisation to form a new entity, information may be transferred to the new entity.
- We are required by law or requested by the police or a regulatory or government authority investigating potentially illegal activities. We may also disclose Personal Data to appropriate third parties to assist in anti-fraud checks and investigations and for purposes of taxation.
- A list of our main Third Party Data Processors can be found in Section 8.
6. YOUR DETAILS ON THE WEB
Technology is increasingly changing how we communicate, consume and share information with each other and at first glance it’s not always clear who is responsible for your Personal Information and how it is being processed. This section outlines how your details are used by us on the web.
Cookies are small pieces of information that are stored by your browser on your computer or mobile phone’s hard drive when you browse website.
For more information on cookies, please visit: aboutcookies.org
6.1.1 Why We Use Them
Cookies help us:
- Make our website work as you would expect.
- Remember your settings during and between visits.
- Improve the speed/security of the site.
- Allow you to share pages with social networks like Facebook.
- Continuously improve our website for you.
- Make our marketing more efficient (ultimately helping us to offer the service we do at the price we do).
6.1.2 How Long Do Cookies Last?
When a web server sends a cookie, it asks your browser to keep that particular cookie until a certain date and time. These dates can be:
- Some date in the future – which might be a few minutes or a few hours from now (to track something like your shopping cart in an online store). The cookie might expire many years in the future, to keep track of your browser for a long time.
- When you close your browser – this is called a session cookie, the next time you start your browser these will have vanished.
- Some date in the past – this is how the server asks a browser to remove a previously-stored cookie.
6.1.3 What Cookies Do We Use
a) Our Cookies
b) Third party functions
Our site, like most websites, includes functionality provided by third parties.
- Providing our online ticketing service:
- Additional functionality:
- Youtube – an embedded video streaming service
- ShareThis – Social website cookies that allow you to easily ‘Share’ our content on social network sites via sharing buttons on our site from
The privacy implications on this will vary from social network to social network and will be dependent on the privacy settings you have chosen on these networks.
Disabling these cookies will likely break the functions offered by these third parties.
c) Anonymous visitor statistics cookies
- Google Analytics
d) Cookies used by Twitter and Facebook, including Advertising or targeting cookies:
These cookies provide information on visitors to Twitter and Facebook, check whether users are logged in to either platform and set application cookies for Twitter and Facebook.
Typically these types of cookies are used to deliver adverts, which will be more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and to help measure the effectiveness of the advertising campaign. They are normally placed by advertising networks with our permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Targeting or advertising cookies will often be linked to site functionality provided by the other organisation.
We use ‘Advertising’ cookies on the Lincoln Performing Arts Centre website to:
- Link to social networks, like Facebook, who may use information to provide targeted advertising to you on other websites.
- Used to identify that you have visited the Lincoln Performing Arts Centre website, to show you relevant adverts from us.
- Provide advertising networks with information on your visit so that they can present you with adverts that you may be interested in.
6.1.3 Turning Cookies Off
You can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies. Doing so, however, will likely limit the functionality of ours and a large proportion of the world’s websites as cookies are a standard part of most modern websites.
6.2 Social Media – Targeted Digital Display Advertising
In Section 4 we outline how we process you Personal Data under the lawful basis of legitimate interest in order to undertake direct marketing including targeted digital display advertising.
To achieve this we convert your Personal Data into an easily readable format such as a CSV file and upload it to our browser where it is hashed locally before being sent to Facebook. Hashing turns the Personal Data in the file into short fingerprints of code that cannot be reversed. It happens before your data is sent to Facebook. This pseudonymised data is more secure as no third party can decrypt it. Once received, Facebook matches this hashed Personal Data against its own hashed Personal Data. The matches are then turned into a Custom Audience in our Facebook account and the matched and unmatched hashes are deleted. Facebook states that the hashed email addresses are only used for the matching process and will not be shared with third parties or other advertisers. In addition, we do not have the ability to identify individual Facebook accounts within a Custom Audience, nor do we have the ability to tell which hashed email addresses were effectively matched or not.
Lookalike Audiences can also be created by using your email address in the same way as Custom Audience, but with an extra step where we request Facebook to use its algorithms to profile the Custom Audience against its users and create a new audience of similar people, which will not include you.
Both of these audience groups can then be narrowed further using Facebook’s Detailed Targeting settings, such as age range or distance from the venue, but we cannot reduce the audience below the minimum size of 1000. This ensures that all Custom and Lookalike Audiences remain a bulk list and individual users cannot be identified through the process of elimination. We then prepare an advert, select the audience and Facebook targets the digital display advertisement accordingly.
To test the effectiveness of our campaigns we may also make use of Facebook’s Offline Conversions function, where customer sales data is hashed similar to the above and compared to hashed Facebook users that were served an advert. This function then informs us to whether there is any correlation between the advert and the subsequent purchase.
When we process your personal data for our legitimate interests in this way we take great care to consider and balance any potential impact on you and your rights.
If you wish to object to the processing of Personal Data being used in any of the ways listed above or you simply have questions about this please contact us via firstname.lastname@example.org or the Information Compliance Officer at the address in Section 2 above.
However, the nature of Detailed Targeting via Facebook means that some of our adverts can still reach you (even if we have not used your Personal Data to create Custom or Lookalike Audiences). In this scenario Facebook is the Data Controller and will provide options within its privacy settings to allow you to opt out.
7. YOUR RIGHTS
Under the General Data Protection Regulation you have a number of legal rights relating to the collation, retention, processing, sharing and use of your Personal Data. These are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
7.1 The Right To Be Informed
You have the right to be informed about the collection and use of your Personal Data. As a Data Controller we have an obligation to provide you with information relating to how we process your Personal Data, our retention periods for that personal data, and who it will be shared with.
This is called “Privacy Information”.
Please note, we regularly review, and where necessary, update our Privacy Information.
We must also bring any new uses of your Personal Data to your attention before we start the processing.
7.2 The Right of Access
You have the right to access your Personal Data.
To request a copy of your Personal Data please email email@example.com or to the Information Compliance Officer at the address in Section 2 above.
There is currently no charge for this.
7.3 The Right to Rectification
Although we make every effort to ensure the accuracy of all Personal Data held by us, you may feel that what we currently have on record is inaccurate or incomplete. If you wish us to update this information you can make a request for rectification either verbally or in writing via firstname.lastname@example.org or via the Information Compliance Officer at the address in Section 2 above.
7.4 The Right to Erasure
Under GDPR you have the right to have Personal Data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
If you wish to request the erasure of your Personal Data you can make a request either verbally or in writing via email@example.com or via the Information Compliance Officer at the address in Section 2 above.
7.5 The Right to Restrict Processing
You have the right to request the restriction or suppression of your Personal Data. This means that you can limit the way that we use you data but this is different from having your data erased.
You may wish to exercise this right because you have issues with the content of the information we hold or how we have processed your data. This is usually a temporary measure whilst we investigate the accuracy of your Personal Data or the grounds for processing it.
If you wish to request the restriction of processing of your Personal Data you can make a request either verbally or in writing via firstname.lastname@example.org or via the Information Compliance Officer at the address in Section 2 above.
7.6 The Right to Data Portability
This right allows you to obtain and reuse your Personal Data for your own purposes across different services in a safe and secure way, without hindrance to usability (e.g. in a commonly used machine-readable form such as a CSV file). This only refers to Personal Data that you have provided to us, is processed through automated means and where that processing is based on your consent or the performance of a contract.
If you wish to request your Personal Data in a portable format you can make a request in writing via email@example.com or via the Information Compliance Officer at the address in section 2 above.
7.7 The Right to Object
You have the right to object to the processing of your Personal Data based on legitimate interests (see Section 4 above). This can specifically include direct marketing (including profiling); and for the processing for purposes of scientific/historical research and statistics.
If you object to the processing of your Personal Data for direct marketing purposes we must stop processing your Personal Data in this way immediately and there are no exemptions or grounds to refuse.
If you wish to object to the processing of Personal Data you can make a request either verbally or in writing via firstname.lastname@example.org or via the Information Compliance Officer at the address in section 2 above.
In addition, to help you exercise control over the processing of your Personal Data for Direct Marketing via electronic communication you can unsubscribe at any time by following the links on direct marketing emails or, if you have purchased tickets online via our website you can log into your Customer Account and update your Direct Marketing preferences there.
7.8 Rights in relation to automated decision making and profiling.
We use your Personal Data to undertake profiling to better understand our audiences more deeply so that we can produce relevant communications and provide a better experience for our customers and supporters (see 4.4 above). You can object to the processing of your Personal Data in this way under the Right to Object outlined in Section 7.7 above.
If you wish to object to the processing of Personal Data you can make a request either verbally or in writing via email@example.com or via the Information Compliance Officer at the address in Section 2 above.
7.9 The Right to Withdraw Consent
As noted in Section 4.2 above, we process your Personal Data for electronic Direct Marketing purposes by your Consent and you have the right to withdraw this at any time. This does not affect your other rights under GDPR.
To withdraw your consent for the processing of your Personal Data as outlined above you can do so verbally or in writing via firstname.lastname@example.org or via the Information Compliance Officer at the address in Section 2 above.
If you believe that the processing of your Personal Data has infringed on the General Data Protection Regulation you can lodge a complaint with the Information Commissioner’s Office. More information about reporting a breach can be found here: https://ico.org.uk/for-organisations/report-a-breach/
8. Appendix 1: Third Party Data Processors
In order to deliver our services we work with selected third party service providers to process data on our behalf and on our instructions. This is to ensure your Personal Data and the safeguarding of your privacy is managed efficiently and effectively.
In these cases we require that these third parties comply strictly with our instructions and with data protection laws, for example around security of personal data.
Our main third party Data Processors are:
- SPEKTRIX LTD.
Spektrix Ltd. is a specialist company, based in the UK that provides technology and service for Box office sales, reporting, data analysis and fundraising.
Spektrix operates to the highest levels of digital and physical security. Their servers are located in a tier IV data centre in the UK with 24/7 onsite security and tightly restricted access control.
Spektrix is used to process your tickets and sales links within our website. You may have seen the ‘Powered by Spektrix’ logo at the bottom of some of our web pages; it just means that Spektrix is doing its job to keep your Personal Data safe.
Sage Pay is an established multi-channel payment provider in Ireland and a market leader in the UK.
Sage Pay has the highest level of card data security (PCI DSS Level 1 compliant) so customers can purchase tickets with peace of mind and are protected against fraud.
Sage Pay is fully integrated into Spektrix and our website.
Dotmailer is a trusted partner of Spektrix and is integrated into our system.
Dotmailer allows us to securely send information via email for marketing and booking communications.