The majority of the personal data we collect is through our Box Office system, we also collect data to help us deliver and improve our services. This includes:
- Consent forms for people who participate in activities including filming and music recording, and for young people who need written permission from a parent or guardian.
- Activity evaluation forms that we use to review and improve the quality of our activities.
- Customer satisfaction surveys, to help us improve the services we offer to the public.
- Email lists so we can keep people updated with events and activities that may interest them.
- Communications (email, letters etc) with artists, creative practitioners and suppliers.
- Analytical data about website and social media users.
Much of this data is ‘anonymised’ and we only collect peoples’ names, contact details or other personal information if they ‘opt-in’, or if it’s a specific requirement.
Shetland Arts acts as both Data Controller and Data Processor in its capacity as a Box Office Provider. We currently collect the following personal data as part of our standard Box Office Operation.
- Customer Name
- Customer Address
- Contact Telephone
- Email Addresses
- Order History.
Under the terms of GDPR data can be collected and processed for a number of reasons. Shetland Arts collects and processes data under the following basis
Purchasing a ticket from Shetland Arts represents a contractual agreement between the customer and Shetland Arts. In these instances, we will collect the data required to allow us to fulfill the order. This includes the Customers name, (for identification purposes) and at least one contact method, to be used in cases of operational necessity (eg to contact customers in the event of cancellation or change relating to their booking). This can also include more detailed information, including access requirements, dietary requirements and emergency contacts, dependant on the event in question.
2. Legitimate Interest
Shetland Arts retains details of purchase history for business purposes, including sales projections and forecasts, sales and booking behaviour analysis.
Shetland Arts also performs specific processing activities (eg marketing emails) only with the express consent of the customer to do so.
At Shetland Arts we are committed to making it as straightforward for you to be in control of the data we might have on record about you:
- Everyone has the right to ask us if we have any data about them, and we’ll let them know as soon as we can.
- You can ask us to delete any data we have about you and we’ll make sure to do so. However, under Point 2. Legitimate Interest, your booking history will remain intact under an anonymised account. Should you then wish to make another booking with Shetland Arts, you may be requested to re-supply their data under Point 1. Contract.
- You may also choose to book tickets for an event on the door using the Anonymous checkout function.
If you’d like us to do either of the above, please contact Wendy Tulloch in writing at Mareel, Lerwick, Shetland ZE1 0NE or through firstname.lastname@example.org
Track and Trace Privacy Notice
Collection of personal data
For the health and safety of the customers and staff in our premises, we must collect the name and contact details of visitors to these premises to support NHS Scotland’s Test & Protect. This information will be used to enable NHS Scotland to contact you should you have been in the premises around the same time as someone who has tested positive for coronavirus. Contacting people who might have been exposed to the virus is an important step in stopping the spread.
Why do we need to collect this data?
As stated above, the purpose for which we are processing your personal data is to assist with NHS Scotland’s Test and Protect strategy in relation to the coronavirus public health epidemic.
This will involve the gathering and, when required, the sharing of information with NHS Scotland as the responsible body for Test and Protect. Your data will not be used for any other purpose. In order to assist in the containment of the virus, we will only share your data when it is requested directly by NHS Scotland.
This will only be in the unlikely event there is a cluster of coronavirus cases linked to the venue. Information will be transferred securely to NHS National Services Scotland who will use the data to contact trace those who were in the establishment at the same time as the positive case, and will provide guidance and support to those who may be advised to self-isolate. For further information on the NHS Scotland Test and Protect strategy please visit the NHS website.
What data will we collect?
Along with the date and time of your arrival and departure, we will collect the following personal data if applicable:
your name; and
contact telephone number.
If you do not have a telephone number, you have the option to provide:
a postal address; or
an email address.
Where multi-household groups are present, we will collect contact details from a ‘lead member’ of each household, along with the number in attendance from each household within the group.
What is our lawful basis for collecting and sharing this data?
Under data protection law, GDPR Article 6(1), we have a number of lawful bases that allow us to collect, process and share personal information. In this case, the lawful basis for processing your data is ‘legal obligation'.
In short, we are obliged to process the personal data to comply with the law which requires us to collect your data and share it with public health officers if they request it under The Health Protection (Coronavirus) (Restrictions) (Scotland) Amendment (No. 11) Regulations 2020.
How long will we retain the data?
Your personal data, collected for the purposes stated in this privacy notice and will be held by us for at least 3 weeks (21 days). All personal data will be held and disposed of in a safe and secure manner.
As defined in the data protection law, GDPR Article(s) 12-23, you have the following rights:
The right to be informed about the collection and use of your personal data. This is outlined above.
The right to access the information we hold about you. Also known as Subject Access Request (SAR).
The right to request rectification of any inaccurate personal data we hold about you. In certain circumstances exemptions to these rights may apply.
Further information is available on the Information Commissioner’s Office website.
Do you have a complaint?
If you consider that your personal data has been misused or mishandled by us, you can raise this with the data controller. In this instance, the data controller is the manager of this venue. If you remain dissatisfied you can make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner’s Office Wycliffe House
0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.