PART 2
IF YOU USE OUR BOX OFFICE

What personal data do we need?

At the NCEM we need to collect the following information from you to order tickets and/or set up an account with us:

• Title – required
• Full Name (first and last name) – required
• E-mail – required if you have booked a livestreamed concert; are setting up an online account; and when you have opted to receive e-news from us
• Telephone – required for NHS Test & Trace purposes
• Address incl. Postcode – required

Accounts can be set up either online, by telephone, in person at our booking office or by post.  If you set up an account online there is other personal data that you can voluntarily provide in the “Customer Details” section.  It will not affect the purposes of our processing activities if you do not want to provide the personal data in this section.

The NCEM does not hold any payment information about the ticket sale transaction.  Payment transaction information is held by Capita360/Global Payments who are our 3rd party payment partners.  They are data controllers in their own right for the data they process about the payment you make to book a ticket to one of our concerts

If you have booked to view one of our livestreamed concerts, we will add only your email address to a specific database that is connected to our website.  This allows you to watch the concert when it becomes available to view as it matches to the email address you enter into the webpage that contains the livestreamed concert.  We will delete your email address from this database at the end of the viewing timeframe, which in most cases is one month.  In addition to NCEM staff having the necessary access to this database our web designer has access to this data for the purposes of providing web hosting and storage support to us.

What we use your personal data for

We collect and use your personal data for the following purposes:

• to provide you with tickets and key information about event bookings you have made;
• to provide access to our livestreamed concerts;
• to inform you of upcoming events you may be interested in; and
• to analyse ticket sales.

To provide you with tickets and key information about the event booking you have made

When you have made a booking, we will send you the ticket(s) either electronically to the email address you have provided or in the post to the address you have provided.

You may also receive an e-welcome email from us before the event which gives you useful information, such as parking arrangements and anything you need to be aware of about the venue and event.

Our legal basis for this processing is Article 6(b) of GDPR – contractual obligation in relation to the sale of tickets. Failure to provide the required information necessary for the purchase of tickets will mean we are unable to sell a ticket to you.

Our legal basis for processing any accessibility needs about you is Article 9(2)(a) of GDPR – we will seek your explicit consent to process this type of personal data.

To inform you of upcoming events you may be interested in

We like to keep you informed of our upcoming events which we currently do by postal marketing or email marketing.

Our legal basis for this processing is Article 6(f) of GDPR – legitimate interests.  GDPR allows us to use legitimate interests for direct marketing purposes.  We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy and the outcome justifies our use of legitimate interests for this purpose. 

It is not an unreasonable expectation for customers who have either enquired about our events, have set up an account with us or have purchased tickets to our events to receive information about our upcoming events.  This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations, (which governs how a business can undertake electronic direct marketing) and allows us to use soft opt-in for marketing for prospective and existing customers.

We always give you the opportunity to object to receiving marketing communications from us, when we first collect your personal data and with every marketing communication thereafter.

You can change your marketing preferences at any time by:

• Clicking on the unsubscribe button in our marketing emails;
• Using the “Data Protection” tab under “Personal Details” in your online account;
• Telephone us on 01904 658338;
• Write to us at The National Centre for Early Music, St Margaret's Church, Walmgate, York YO1 9TL; or
• Pop in to see us at the above address

To analyse tickets sales

We analyse our ticket sales for the following reasons:

• to provide analytical data to the Arts Council for funding purposes;
• to provide analytical data to City of York Council and East Riding of Yorkshire Council for funding purposes; and
• to undertake our own seasonal analysis of ticket sales. We review the spread of ticket sales by geographical location and the type of events people are buying tickets for.

For us to receive funding from the Arts Council, which is vital to the running of NCEM, we must provide them with analytical data of our ticket sales.  This is part of our contractual arrangements with the Arts Council.  This data is gathered from our box office system by a plug-in tool called Audience Finder (provided by The Audience Agency).  The data gathered is by geographical location of the first part of a post-code only.  No personal data about identifiable individuals is gathered as part of this analytical reporting.  Currently the NCEM does not use the data that has been gathered by Audience Finder for any other purposes than to send to the Arts Council.

Our legal basis for undertaking analytical reporting is Article 6(f) of GDPR – legitimate interests.  It benefits the NCEM to receive vital funding to allow us to continue operating and providing music events and it benefits individuals as we can provide music events that are of particular interest to them.

Recipients of the personal data

The NCEM sometimes sell tickets on behalf of other organisations which can be for their events held at the NCEM venue or other non-NCEM venues across the country.  We therefore need to share your personal data with these third-party organisations so that they can run the event for which the tickets have been purchased and fulfil the booking order.  They may also use your personal data for marketing purposes.  We advise you to read their Privacy Notices to understand what they will do with your personal data.

The third-party organisations who we currently act as ticket agent for are:

• Black Swan Folk Club
• Please Please You
• Revolver Productions
• Sam Johnson Music
• The Ebor Singers
• The University of York
• Yorkshire Bach Choir
• York Chamber Music Festival
• York Opera

For you to purchase a ticket online you will be transferred to our 3rd party payment partners, Capita360 and Global Payments, who will process the payment booking on our behalf.

We also share non-identifiable data, based on first part of postcode only, for funding purposes to:

• The Arts Council
• City of York Council
• East Riding of Yorkshire Council

Retention of information

We keep information relating to ticket sales for 7 years after the most recent booking.

We keep analytical information for 4 years. 

Do we use any data processors?

Yes, we use the following data processors to deliver our service to you:

Seat Geek are our ticketing website host.  All data processed on the ticketing website is stored on Seat Geek’s servers which are located in the UK (including their back-up server).  Seat Geek are able to access and see this data purely for maintenance and service purposes only.

PART 3
IF YOU ENTER OUR YOUNG COMPOSERS AWARD 

What personal data do we need?

Our registration process is an online process and when you register to enter the Young Composers Award you will need to provide us with the following personal data:

• Full name
• Email address
• Age category (from an automatic drop down menu – options are 18 years and under, or 19-25)

After registering to enter the Awards you will be sent a link to an online application form where we will collect the following personal data:

• Name
• Title of the Piece
• Email address
• Age at submission date
• Date of birth
• Postal address
• Telephone number
• Educational institution (if applicable)
• If under 18 – the name and email address of your parent/guardian, their email address and the relationship to you.

How do we get your personal data?

We gather your personal data directly from you at the point of registration and when you submit the application form, both of which are an online process.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to:

• process your registration to enter the Young Composers Award, which includes sending you reminders of the deadline to submit your score;
• process the score you submit as your entry;
• inform you of whether or not your score has been shortlisted;
• arrange shortlisted candidates’ attendance at a workshop and evening performance;
• judge and decide a winning score from the shortlisted candidates;
• arrange attendance of the winners at the concert where their winning piece will be performed; and
• anything else that specifically relates to processing your personal data for the Young Composers Award.

We also like to:

• inform past winners and finalists of new opportunities (both organised by NCEM or other arts organisations), to publicise your successes and to keep you informed of future Young Composers Awards; and
• inform all registrants of future Young Composers Awards.

The legal bases we rely on are:

Contractual obligation (GDPR Article 6(1)(b))

The data we obtain to process your application and entry to the Young Composers Award are necessary for the performance of a contract to which you are subject to.  You must always abide by the rules as set out in the terms and conditions for the Award.

We require certain information from you to enable us to fulfil our pre-contractual (registration stage) and contractual obligations (score entry and judging stage).  If you are not able to provide all the necessary information we need we may not be able to process your registration and submission to the Young Composers Award.

Legitimate interests (GDPR Article 6(1)(f)

We rely on legitimate interests to send you information about our future Young Composers Awards, to notify winners and finalists of new opportunities (both organised by NCEM or other arts organisations) and to promote the winners success.

GDPR allows us to rely on legitimate interests for direct marketing purposes. 

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake direct marketing against your right to privacy.  The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for anyone who enters the Young Composers Award to have their personal data processed in this way.

This also complies with UK e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to consumers. 

You always have the opportunity to object to us processing your personal data in this way, both when we first collect your personal data and with every communication we have with you thereafter.  You can change your marketing preferences at any time by contacting us via one of the ways shown in the “Our contact details” section.

Who do we share your personal data with?

The Young Composers Award is run in association with BBC Radio 3.  As our award partner the BBC sees the personal data of the winner.  The BBC does not usually see the personal data of other entrants; however, they do have the right to ask for these details should they require them as part of the award process.  The BBC retains the personal data of the winner of the award for 2 years.  The BBC is a separate data controller of your personal data for this purpose, for further information on how the BBC process your personal data please read their privacy notice on their website http://www.bbc.co.uk/usingthebbc/privacy/privacy-policy

How long do we keep your personal data?

We keep your personal data for the following periods of time:

• We retain permanently for all registrants your name and year of application.
• We retain permanently the music scores of finalists.
• All application forms and scores of non-finalists are destroyed within 6 months of  the judging of the award.
• We retain registrants email addresses for as long as you want to receive news about future Young Composer Awards.

We retain fully anonymised data for our own internal analysis and trend reporting, this data includes geographical data and age-range data.

Do we use any data processors?

 Yes.  We use the following data processors:

• com – host providers of the online entry and application platform.
• Mailchimp - used to store your contact details and to send you information about future Young Composers Awards
• MS Office 365 – to store data and send emails to and from all registrants of the Young Composers Award.

PART 4
IF YOU ENTER OUR INTERNATIONAL YOUNG ARTISTS COMPETITION

What personal data do we need?

When you apply online to enter the International Young Artists Competition, we will collect the following information from you:

Ensemble nominated lead contact:
• Full name
• Postal address
• Email address
• Mobile number

Each member of the ensemble:

• Full name
• Age
• Date of birth
• Nationality
• Proof of ID (e.g. scan of ID card, passport)

Other information:

• current and/or main teachers
• courses and conservatoires attended
• an unedited video recording of the ensemble playing
• details of your recording
• programme details for the informal and competition recitals
• biography of the ensemble
• letter of recommendation from a prominent personality in musical life
• two recent photographs of the ensemble

How do we get your personal data?

We gather your personal data directly from you when you submit your online application to take part in the International Young Artists Competition. Note - Your application may have been completed by the nominated lead of the ensemble.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to:

• process your online entry in the International Young Artists Competition;
• undertake the initial selection process (based on video recording submitted);
• inform you of whether or not you have been shortlisted;
• provide feedback to unsuccessful applicants
• invite finalists to the competition and arrange for finalists attendance at a reception, rehearsals, informal recitals and competition day;
• judge and decide a winning ensemble from the finalists; and
• anything else that specifically relates to processing your personal data for the International Young Artists Competition.

We also like to:

• inform past winners and finalists of new opportunities (both organised by NCEM or other arts organisations), to publicise the finalists’ successes and to keep you informed of future International Young Artists Competitions; and
• inform previous applicants of future International Young Artists Competitions.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))
The data we obtain to process your application and entry to the International Young Artists Competition are necessary for the performance of a contract which you are subject to. You must abide by the rules of the competition at all times.

We require certain information from you to enable us to fulfil our pre-contractual (application stage) and contractual obligations (initial selection stage and finalists’ stage). If you are not able to provide all the necessary information we need we may not be able to process your application to enter the International Young Artists competition.

Legitimate interests (GDPR Article 6(1)(f)
We rely on legitimate interests to send you information about our future International Young Artists Competitions, to notify winners and finalists of new opportunities (both organised by NCEM or other arts organisations) and to promote their success.

GDPR allows us to rely on legitimate interests for direct marketing purposes.

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake direct marketing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for anyone who enters the International Young Artists Competition to have their personal data processed in this way.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to consumers.

You always have the opportunity to object to us processing your personal data in this way, both when we first collect your personal data and with every communication we have with you thereafter. You can change your marketing preferences at any time by contacting us via one of the ways shown in the “Our contact details” section.

Who do we share your personal data with?

Your personal data are only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

We will share the winners contact details with Linn Records to enable the production of the CD.

BBC Radio 3 record the competition final for editing for future broadcast.

How long do we keep your personal data?

We keep your personal data for the following periods of time:

• We retain permanently for all entrants your name and year of application.
• All application forms and copies of passports/IDs, etc. are destroyed after the final day of the competition.
• We retain entrants email addresses for as long as you want to receive news about future International Young Artists Competitions

We retain fully anonymised data for our own internal analysis and trend reporting, these include geographical data and age-range data.

Do we use any data processors?

Yes. We use the following data processors:

• Wix.com – used to process your online application form to the competition
• Paypal – to process your entry fee to the competition
• Mailchimp - used to store your contact details and to send you information about future competitions
• MS Office 365 – to store data and send emails to and from entrants of the competition

PART 5
IF YOU HIRE OUR VENUE

What personal data do we need?

You can hire our venue for conferences or meetings, weddings or parties, corporate functions, and concerts or lectures. Depending on the type of function you are hiring our venue for we will need some or all of the following personal data:

• Contact name of person making booking
• Address of person making booking
• Organisation name and address
• Position of contact person in organisation
• Telephone number of person making booking
• Email address of person making booking
• Lecturers/performers names

We will also need information relating to the booking which includes but is not limited to space required within NCEM venue, type of function, date, time, number of delegates or expected number of guests, accessibility requirements, room layout, additional equipment and services, planned event timings (e.g. guest arrival times, bar open times, food served times, etc), details of event (content, number of performers).

How do we get your personal data?

We get the personal data of the person making the booking directly from the individual when they contact us to make all the arrangements.

We also obtain personal data of an individual who has enquired about our venue via a third-party venue site, such as hitched.com, UKBrides, forbetterforworse.com and for conferences via VisitYorkforMeetings, and other venue directories

If names of lecturers or performers are provided these have been given to us by the person making the booking.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to

• process the booking for hiring our venue;
• liaise with you about the booking to ensure everything runs smoothly at the event; and
• submit and receive payment from you for the booking.

We will also send an invite to brides and grooms who have enquired about our venue in the preceding 6 months to a wedding fair that we hold every year at NCEM.

The legal basis we rely on for providing a venue to hire is:

Contractual obligation (GDPR Article 6(1)(b))
The data we obtain to process your booking to hire our venue is necessary for the performance of a contract to which you are subject to.

We require certain information from you to enable us to fulfil our pre-contractual (request for venue hire details) and contractual obligations (provision of venue and facilities). If you are not able to provide all the necessary information we need we may not be able to process your booking request and you may not be able to hire our venue and facilities.

Legitimate interests (GDPR Article 6(1)(f))
We rely on legitimate interests to contact brides/grooms who have enquired about our venue for their wedding to invite them to our annual wedding fair.

GDPR allows us to rely on legitimate interests for direct marketing purposes.

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake this type of direct marketing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for individuals who have made enquiries with us about hiring our venue for a wedding to receive information from us about an event that specifically relates to the reason they want to hire our venue.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to businesses and consumers.

You always have the opportunity to object to us processing your personal data in this way. You can contact us via one of the ways shown in the “Our contact details” section to inform us that you do not want us to collect and process your personal data for this purpose.

Who do we share your personal data with?

Your personal data is only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

If we source the catering for you, we only provide your organisation name, numbers and dietary requirements to the caterers. We do not give your personal data or the personal data of attendees/delegates to the caterers.

How long do we keep your personal data?

We keep all information relating to hiring our venue for 6 years from the end of the financial year the event took place.

Do we use any data processors?

Yes, we use the following data processors:

• Artifax Event – to manage our event planning, room bookings and resource scheduling requirements.
• MS Office 365 – to store and process emails and documentation.

PART 6
IF YOU JOIN ONE OF OUR MEMBERSHIP SCHEMES

What personal data do we need?

To become either a Festival Friend or NCEM Patron we need to collect the following personal data about you:

• Full name
• Postal address
• Email address
• Telephone number (landline or mobile)
• Membership scheme you wish to join
• Amount of any additional donation you wish to make
• Payment for the membership scheme you wish to join (cheque, standing order or payment via our Box Office)
• Gift Aid declaration (where applicable)

How do we get your personal data?

We gather your personal data directly from you when you complete and submit your application to join one of our membership schemes.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to:

• process your application to become a Festival Friend or NCEM Patron;
• invite you to events included with your membership package; and
• keep in touch with you throughout the year.

The legal basis we rely on are:

Consent - GDPR Article 6(1)(a)
By submitting your application form to become a member you are consenting to us using your personal data for this purpose. The membership includes some of the following:
• receiving advance copies of our festival brochure and priority booking;
• notification of NCEM events;
• reserved seating; and
• invitations to attend exclusive events.

By joining one of our membership schemes we will send relevant information to you about our events even if you have previously opted out of receiving marketing through the Box Office.

You always have the right to withdraw your consent to being a member, you can do this by contacting us via one of the methods shown in the “Our contact details”.

Who do we share your personal data with?

Your personal data is only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We retain membership information for 6 years from the end of the financial year to which they relate to.

Do we use any data processors?

Yes. We use the following data processors:

• Box Office System (hosted by Seat Geek) – used to store all details of Festival Friends and NCEM Patrons;
• Mailchimp – used to store the contact details of all Festival Friends and NCEM Patrons, we may contact you, via Mailchimp, to remind you about your renewal or to let you know about events associated with your membership;
• MS Office 365 Email – used to send emails to Festival Friends and NCEM Patrons to remind you about your renewal or to let you know about events associated with your membership;

What personal data do we need?

You can hire our venue for conferences or meetings, weddings or parties, corporate functions, and concerts or lectures. Depending on the type of function you are hiring our venue for we will need some or all of the following personal data:

• Contact name of person making booking
• Address of person making booking
• Organisation name and address
• Position of contact person in organisation
• Telephone number of person making booking
• Email address of person making booking
• Lecturers/performers names

We will also need information relating to the booking which includes but is not limited to space required within NCEM venue, type of function, date, time, number of delegates or expected number of guests, accessibility requirements, room layout, additional equipment and services, planned event timings (e.g. guest arrival times, bar open times, food served times, etc), details of event (content, number of performers).

How do we get your personal data?

We get the personal data of the person making the booking directly from the individual when they contact us to make all the arrangements.

We also obtain personal data of an individual who has enquired about our venue via a third-party venue site, such as hitched.com, UKBrides, forbetterforworse.com and for conferences via VisitYorkforMeetings, and other venue directories

If names of lecturers or performers are provided these have been given to us by the person making the booking.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to

• process the booking for hiring our venue;
• liaise with you about the booking to ensure everything runs smoothly at the event; and
• submit and receive payment from you for the booking.

We will also send an invite to brides and grooms who have enquired about our venue in the preceding 6 months to a wedding fair that we hold every year at NCEM.

The legal basis we rely on for providing a venue to hire is:

Contractual obligation (GDPR Article 6(1)(b))
The data we obtain to process your booking to hire our venue is necessary for the performance of a contract to which you are subject to.

We require certain information from you to enable us to fulfil our pre-contractual (request for venue hire details) and contractual obligations (provision of venue and facilities). If you are not able to provide all the necessary information we need we may not be able to process your booking request and you may not be able to hire our venue and facilities.

Legitimate interests (GDPR Article 6(1)(f))
We rely on legitimate interests to contact brides/grooms who have enquired about our venue for their wedding to invite them to our annual wedding fair.

GDPR allows us to rely on legitimate interests for direct marketing purposes.

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake this type of direct marketing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for individuals who have made enquiries with us about hiring our venue for a wedding to receive information from us about an event that specifically relates to the reason they want to hire our venue.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to businesses and consumers.

You always have the opportunity to object to us processing your personal data in this way. You can contact us via one of the ways shown in the “Our contact details” section to inform us that you do not want us to collect and process your personal data for this purpose.

Who do we share your personal data with?

Your personal data is only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

If we source the catering for you, we only provide your organisation name, numbers and dietary requirements to the caterers. We do not give your personal data or the personal data of attendees/delegates to the caterers.

How long do we keep your personal data?

We keep all information relating to hiring our venue for 6 years from the end of the financial year the event took place.

Do we use any data processors?

Yes, we use the following data processors:

• Artifax Event – to manage our event planning, room bookings and resource scheduling requirements.
• MS Office 365 – to store and process emails and documentation.

PART 7
IF YOU MAKE A DONATION TO US

What personal data do we need?

If you make either a one off or regular donation to NCEM we need to collect the following personal data about you:

Donation made via our website (Paypal)
• Name
• Address
• Telephone number
• Email address
• Amount donated
• Gift Aid (where applicable)

Donation made in person, phone or online either by cheque, debit/credit card, bank transfer, or cash (input to our Box Office System)
• Name
• Address (only required for Gift Aid purposes)
• Amount donated
• Debit/Credit details if payment made this way
• Gift Aid (where applicable)

How do we get your personal data?

We gather your personal data directly from you when you make a donation to us.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to process and administer your donation to us. This may include contacting you to invite you to a performance or a reception related to the activity you have supported.

The legal basis we rely on are:

Consent - GDPR Article 6(1)(a)
By making a donation to us you consent to us using your personal data for the purpose of us administering the donation and partaking and celebrating the donation.

You always have the right to withdraw your consent for us to use your personal data for this purpose, you can do this by contacting us via one of the methods shown in the “Our contact details”.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

We will share Gift Aid information with HMRC.

How long do we keep your personal data?

We retain donation information and gift aid forms for 6 years from the end of the financial year to which they relate to.

Do we use any data processors?

Yes. We use the following data processors:

• Paypal – used to process online donations
• Box Office System – to store information about donations made

PART 8
IF YOU ARE ONE OF OUR SPONSORS

(TRUSTS AND FOUNDATIONS / CORPORATE PARTNERS)

What personal data do we need?

• Your organisation name;
• The name (first and last name) of the person who we are liaising with at your organisation (in some cases this may be several staff members details);
• Organisation postal address;
• Organisation email address;
• Organisation telephone number;
• Organisation mobile number;
• Any other information you feel is relevant for the purposes of the processing.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We will obtain your personal data when we apply for funding from your organisation.

We may also obtain personal data of potential corporate sponsors from business networking events or we may have an existing relationship with you.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need the personal data to allow us to process the funding application we are apply for and to meet any funding conditions or sponsorship agreements that are imposed on us.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))
We will process your personal data to meet any pre-contractual obligations we have with you in relation to our funding application and any contractual obligations we have when the funding is in place.

We may require certain information from you to enable us to fulfil our pre-contractual and contractual obligations. If you are not able to provide all the necessary information we need we may not be able to consider or appoint you as one of our sponsors.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We retain information relating to funding and sponsorship for 6 years from when the funding or sponsorship expires.

Do we use any data processors?

• Microsoft Office 365 – to store and process our information

PART 9
IF YOU JUST WANT TO RECEIVE OUR EVENT INFORMATION & NEWSLETTERS

What personal data do we need?

For us to send you information about our events, festivals, and general updates on the work we do, we need the following personal data about you:

• Full name
• Email address
• Postal address

How do we get your personal data?

We obtain your personal data directly from you when you instruct us to add you to our mailing list, this can be done in person at our box office; by phone; by email; or by clicking the subscribe button on our website.

We also obtain personal data indirectly, from publicly available sources, of music teachers/professors, professional composers, heads of schools, etc.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to be able to send you details of our events and updates that you have subscribed to receive.

We need the contact details of music teachers/professors, professional composers, heads of schools, etc. so that we can contact you to promote to your students our Young Composers Award and International Young Artists Competition.

The legal basis we rely on is:

Consent (GDPR Article 6(1)(a)
By submitting your contact details to receive marketing from us you have given your consent for us to use your personal data for this purpose.

You always have the right to withdraw your consent to receive marketing, you can do this by clicking the “unsubscribe” link in the marketing email you receive.

Legitimate interests (GDPR Article 6(1)(f)
We rely on legitimate interests to collect the contact details of music teachers/professors, professional composers, heads of schools and conservatoires, etc. to be able to send you information about our Young Composers Award and International Young Artists Competition so that you can promote these to your students.

GDPR allows us to rely on legitimate interests for direct marketing purposes.

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake this type of direct marketing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as we do not believe it would be an unreasonable expectation for music professionals to receive information about our Young Composers Award and International Young Artists Competition. There is a clear benefit for you and your students to be aware of these prestigious events, for individuals and music ensembles to showcase their compositions and musical talents. A potential risk of us not contacting you is you may never become aware of the events.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to businesses and consumers.

You always have the opportunity to object to us processing your personal data in this way. You can contact us via one of the ways shown in the “Our contact details” section to inform us that you do not want us to collect and process your personal data for this purpose.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We retain your contact details for as long as you want to receive information about our events and the work we do.

Do we use any data processors?

Yes, we use the following data processors:

• Box Office System – to store your contact details and marketing preference
• Mailchimp - used to store your contact details and to send you newsletters or information about future events

PART 10
IF YOU APPLY FOR A JOB WITH US

What personal data do we need?

When you apply for a job with us you will need to provide some or all of the following information as part of the job application process:

• Full name
• Postal address
• Telephone number
• Mobile number
• Email address
• Equal opportunities information (which includes age, disability, gender, religion, sexual orientation, ethnic group, relationship status, caring responsibility) – voluntary
• Education history
• Qualifications
• Employment history
• Whether you hold a UK work permit
• References

How do we get your personal data?

We collect information directly from you when you submit your application form and/or CV to us.

We will also collect information about you from your referees as you progress down the recruitment process.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to be able to process your application for a job with us, which includes, but is not limited to:

• assessing your suitability for the role applied for;
• making a decision on whether your application progresses to the next stage of the recruitment process (sifting and shortlisting);
• inviting you to interview or tests;
• making a decision on whether or not to appoint you to the role applied for;
• obtaining further information in order to carry out pre-employment checks if we make a conditional offer of employment to you; and
• gathering of information for equal opportunities monitoring

The legal basis we rely on to undertake our recruitment activities includes:

Contractual obligation (GDPR Article 6(1)(b))
The processing of your job application is necessary in order for us to take steps at your request before entering into a possible employment contract with us.

We require certain information from you to enable us to fulfil our employment pre-contractual and contractual obligations. If you are not able to provide all the necessary information we need we may not be able to process your application and consider you for one of our job vacancies.

Legal obligation (GDPR Article 6(1)(c))
We have certain obligations under employment law in relation to recruitment and selection and equal opportunities that we must comply with.

Processing for employment law (GDPR Article 9(2)(b))
Information you provide to us that relates to special category personal data, such as health, religious or ethnic information is necessary for our recruitment and selection purposes as it relates to our obligations in employment law.

Processing to assess working capacity (GDPR Article 9(2)(h))
We have certain obligations to assess your health in relation to your ability to work for us.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

Do we use any data processors?

We do not use any data processors for the purpose of recruitment and selection.

How long do we keep your personal data?

All unsuccessful candidate details are kept for 6 months from the end of the recruitment process they relate to.

Successful candidate details are transferred to their employment record and kept for 6 years after employment ends.

PART 11
IF YOU ARE ONE OF OUR VOLUNTEERS

What personal data do we need?

If you would like to volunteer and help us with the work we do we will need to collect the following personal data from you before you become a volunteer:

• Full Name
• Home address
• Contact details (such as telephone, mobile, email address)
• Date of birth
• Emergency contact details
• Health issues we may need to be aware of
• Personal evacuation emergency plan details
• Any other personal data you give to us that you feel is relevant for us to know

How do we get your personal data?

We gather your personal data directly from you when you complete our volunteer record form.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data so that we can assign volunteer duties to you so you can contribute to the activities of NCEM.

Our legal basis for the processing is:

Consent - GDPR Article 6(1)(a)
By volunteering with us you are consenting to us processing your personal data for this purpose.

You always have the right to withdraw your consent to being a volunteer and can decide at any time that you no longer wish to be a volunteer for our charity. Should you wish to stop being a volunteer please notify our Operations and Events Manager.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We keep volunteer records for 6 years from when our relationship with you ends.

Do we use any data processors?

Yes, we use the following data processors:

• Artifax Event – to store contact details
• Microsoft Office 365 – to store and process our information

PART 12
IF YOU ARE ONE OF OUR SUPPLIERS OR CONTRACTORS

What personal data do we need?

For us to pay you for the service or goods you have provided to us we need to collect and use a small amount of information about you and your business, this is also likely to include some information about the individuals who work at your business. The information we are likely to need is:

• Your business name;
• The name (first and last name) of the person who we are liaising with at your business (in some cases this may be several staff members details);
• Business postal address;
• Business email address;
• Business telephone number;
• Business mobile number;
• Bank details to enable payment to be made;
• Names, address and dates of birth of contract staff and artists/musicians who deliver education projects on our behalf; and
• Any other information you feel is relevant for the purposes of the processing.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We obtain your data directly when we start to use your services or have purchased goods from you. We gather the relevant information from you to enable us to process payment to you for those services and goods.

We also obtain some data, such as your business name and contact details, indirectly from publicly available sources or recommendations from 3rd parties to enable us to contact you to enquire about the services and goods you provide prior to us making a purchase.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to either enquire about the services or goods you provide that we may be interested in purchasing or to make a purchase. We then use your personal data to pay for those goods and services when you invoice us or to raise any queries about the payment.

We also need to undertake DBS checks for contract staff and artists/musicians who we use for education projects. We will use your name, address and date of birth to check your status on the DBS system. We only retain the DBS number and date of checking.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))
The services or goods you have provided to us are done so under contract or with a view to entering into a contract (i.e. we have asked you for a quote for the goods or to undertake the service for us).

We require certain information from you to enable us to fulfil our part of the pre-contractual and contractual obligations, e.g. we need to have certain information to make the purchase and to process payment. If you are not able to provide all the necessary information for us to do this, we will not be able to purchase the goods or services you provide or be able to make payment once purchased.

Legal obligation (GDPR Article 6(1)(c))
We have a legal obligation to pay for any services or goods we have purchased.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

Our Accountant will see personal data relating to suppliers and any payments we make.

Invoices may be shared with our grant funders as evidence of expenditure.

How long do we keep your personal data?

We keep all financial data (which includes supplier information) for 6 years from end of the financial year it relates to.