The Company gathers and processes your personal information in accordance with this Privacy Notice and in compliance with the General Data Protection Regulations (GDPR) and other relevant data protection regulation and laws. This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.
The Company’s registered office is at 3 Thane Works, London N7 7NU and we are a company registered in England and Wales under company number 2828929. We are registered on the Information Commissioner’s Office Register; registration number Z3216637 and act as the Data Controller when processing your data. Our designated Data Protection Officer is Jon Bradfield who can be contacted at firstname.lastname@example.org.
This policy covers information relating to customers, suppliers and collaborators including freelance performers, designers and other staff, and partner organisations.
Information That We Collect
We process your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice.
The personal data that we collect is:
- Business Address (personal address where that is the business address)
- Business Email (personal email where that is the business email)
- Telephone Number
- Mobile Telephone Number
- Contact person(s) contact information
We collect information in the following ways:
- Online forms (our mailing lists)
- Contact information provided directly by email, phone or post by clients, suppliers and collaborating organisations and their staff.
We store information in the following ways:
- Mailchimp and Paperless Post (our mailing lists)
- In our email software (gmail)
- On Dropbox, a cloud-based system we use as our main server. Only Out of Joint staff have (password-protected) access to this.
- On an internal server where archived digital documents are kept. This will be in our lockable main office.
- On the internal hard drives of our desktop computers.
- On the servers of our Web Hosting suppliers WP Engine (new) and Hans de Kretzer Associates (outgoing). Only bookshop sales records are kept here, including customer contacts and order details; but no bank details. Both Web Hosting companies’ servers are in the UK. Access is only available to Out of Joint staff, and our web developer (until recently Hans de Kretzer Associates; going forward Dan Branigan).
- On PayPal (names and contact only, no access to bank details)
How We Use Your Personal Data
The Company takes your privacy very seriously and will never disclose, share or sell your data without your consent; unless required to do so by law. We retain your data only for as long as is necessary and for the purpose(s) specified in this notice. Where you have consented to us providing you with promotional offers and marketing, you are free to withdraw this consent at any time. The purposes and reasons for processing your personal data are detailed below:
- We collect contact information of individuals we work with, both freelancers and the relevant staff in partner organisations, in order maintain effective working relationships with industry colleagues. Where necessary we collect bank details in order to make payments, and store copies of driving licences and passports.
- We collect your personal data in the performance of a contract or to provide a service and to ensure that orders are completed and can be sent out to your preferred address.
- We will occasionally send you marketing information where we have assessed that it is beneficial to you as a customer and in our interests. Such information will be non-intrusive and is processed on the grounds of legitimate interests.
You have the right to access any personal information that we process about you and to request information about:
- What personal data we hold about you
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long we intend to store your personal data for
- If we did not collect the data directly from you, information about the source
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible, but certainly within legal timeframes, unless there is a valid reason for not doing so, in which case you will be notified.
You also have the right to request erasure of your personal data or to restrict in accordance with the data protection laws; as well as to object to any direct marketing from us. Where applicable, you have the right to data portability of your information and the right to be informed about any automated decision-making we may use.
If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request. This is to ensure that your data is protected and kept secure.
Sharing and Disclosing Your Personal Information
We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this notice or where there is a legal requirement. We may use third parties to provide the below services and business functions; however, all processors acting on our behalf process your data only in accordance with instructions from us and comply fully with this privacy notice, the data protection laws and any other appropriate confidentiality and security measures. (Where we share data with companies for marketing analysis this will be anonymised.)
Mailchimp (for storing contact information and sending emails including marketing emails)
Paperless Post (for inviting people to performances, readings, fundraising events)
“Mailing houses” such as Romax (for sending communications by post)
Website Hosting (Hans de Kretzer Associates; WP Engine) (for processing orders from our shop)
We take your privacy seriously and take every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information, including:
- Computers are password protected, and when the office is not staffed they are either off or in password-protected mode.
- Any staff member’s mobile phone, laptop or other personal device with access to Out of Joint emails or documents, such as access to Dropbox storage, is PIN-, passcode- or Touch ID-protected.
- Freelancers (e.g. stage management) do not have access to our Dropbox files from their own devices, with the exception of an accountant who has access to some finance files.
- The door to the main office is locked whenever other parts of the building are in use while it is unstaffed.
- Interns and work experience placement students are supervised when working on Out of Joint computers.
- Archived documents stored offsite at our offsite stores are kept in a chained/locked shipping container.
Transfers Outside the EU
Personal data in the European Union is protected by the General Data Protection Regulation (GDPR) but some other countries may not necessarily have the same high standard of protection for your personal data. We do not transfer or store any personal data outside the EU.
Consequences of Not Providing Your Data
You are not obligated to provide your personal information to us. However, we may not be able to offer some/all our services without it, or be able to work with you on projects, where that information is necessary for such fulfilment.
As noted in the ‘How We Use Your Personal Data’ section of this notice, we occasionally process your personal information under the legitimate interests’ legal basis. Where this is the case, we have carried out a thorough Legitimate Interests’ Assessment (LIA) to ensure that we have weighed your interests and any risk posed to you against our own interests; ensuring that they are proportionate and appropriate.
We use the legitimate interests’ legal basis for and have identified that our interests are the management of providing services for customers.
How Long We Keep Your Data
We only ever retain personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We will keep your data on our systems for as long as a relationship exists between us, plus up to one year, unless you ask us specifically to remove your details. We will review the information we hold once a year and remove any that is no longer pertinent to an existing relationship unless legally required to retain it. At this point we may ask your permission to keep your contact details – where this is the case we will be explicit about the intended purposes of contacting you, and we will only do so with your permission.
Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent.
Lodging A Complaint
We process your personal information only in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority.
Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow SK9 5AF
0303 123 1113