PRIVACY

AT THE NCEM

Privacy Notice – NCEM

The National Centre for Early Music (NCEM) is the trading name of The York Early Music Foundation, a charitable company limited by guarantee, with a registered address of St Margaret's Church, Walmgate, York, YO1 9TL.  The York Early Music Foundation's company registration number is 3499629 and registered charity number is 1068331.

This Privacy Notice sets out how NCEM (the Data Controller) collects and uses your personal data. This Privacy Notice has been written to reflect the changes introduced in May 2018 by both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18).

When we refer to “we”, “us” “our” or “controller” in this Privacy Notice we mean NCEM.

Our Privacy Notice is structured in a way for you to easily find the specific details of what we do with your personal data, depending on which of our services you are using.  We have split the Privacy Notice into 12 parts.  Part 1 is all the information we must tell everyone regardless of which one of our services you use.  Parts 2 to 12 give specific information on how we use your personal data for each of the services that we offer. 


Part 1
GENERAL INFORMATION

Our contact details

NCEM is the data controller for the personal data we process about you.

You can contact us regarding the use of your personal data via one of the following ways:

Postal Address: The National Centre for Early Music, St Margaret's Church, Walmgate, York, YO1 9TL

Telephone: 01904 632220


Email:  finance@ncem.co.uk 


Our Data Protection Officer contact details

We do not have a legal obligation under the UK General Data Protection Regulation (UK GDPR) to appoint a Data Protection Officer.  However, a member of our team does oversee our general compliance with GDPR and other relevant data protection and privacy laws.  The various ways you can contact us to discuss any data protection issues or concerns are shown in the “Our contact details” section.


How we get your personal data

We obtain personal data directly from you in one of the following ways:

  • when you enquire about or book an event we are hosting;

  • if you enter an award or competition;

  • when you book our venue for an event you are hosting;

  • if you become a member or make a donation to us;

  • if you apply for a job or join us as a volunteer;

  • when you sign up for our newsletters;

  • if you become one of our sponsors; or

  • if you are one of our suppliers.


The legal basis to process your personal data

When gathering and using your personal data we must have a legal basis to do so – this is a requirement of data protection law.

The legal basis we rely on to process your personal data varies depending on the processing activity undertaken.  Generally, we will rely on either consent, contractual obligation or legitimate interests to process your personal data.  The full details of the legal basis we rely on to process your personal data are given in Parts 2 to 12 of this privacy notice.

Regardless of which service you use with us, in order for us to comply with one of our legal or regulatory obligations we will rely on the legal basis of “legal obligation” to process your personal data.  For example, we may need to share personal data with regulators such as the Charity Commission or Information Commissioners Office.  We also have to retain personal data for accounting purposes and transactions relating to Gift Aid have to be declared to HMRC.


Your rights

Depending on the purpose and legal basis we rely on for processing your personal data, there are various rights available to you.  You can:

  • access the personal data we keep about you and be given specific information about the processing.  This right always applies regardless of the processing activity we undertake.  

  • ask us to rectify personal data we hold about you that you think is inaccurate.  This right always applies regardless of the processing activity we undertake. 

  • ask us to delete your personal data but only when specific circumstances apply. 

  • ask us to restrict the processing of your personal data but only when specific circumstances apply.

  • object to the processing when we have relied on legitimate interest to undertake that processing activity and you believe we have infringed your rights. 

  • transfer your personal data from us to another service provider or give it to you.  This right only applies to personal data you have given to us and when the processing is based on your consent or contractual basis and the processing is automated.

We do not undertake any solely automated decision making about you with the personal data we process.

To find out more about how to exercise your rights please refer to the guidance on the Information Commissioner’s Office website - https://ico.org.uk/your-data-matters/.

You do not have to pay a fee to us to exercise any of your rights.  However, if your request is manifestly unfounded or excessive we may either charge a reasonable fee or refuse the request.

We shall respond to a valid request within one month of receiving it.

If you wish to make a request, please contact us via one of the methods shown in the “Our contact details” section.

How to make a complaint about us to the Information Commissioner’s Office

If you are not happy with how we are processing your personal data or you believe we have not dealt with one of your rights correctly you are entitled to make a complaint to the Information Commissioners Office (ICO).  The ICO has several ways in which you can get in touch with them, including post, email, and online forms.  For full details how to make a complaint please refer to their website - https://ico.org.uk/make-a-complaint/.

Sharing your information

We do not share, sell or rent your personal data to third parties for them to use for their own marketing purposes.

Some of the services we offer require us to share personal data with other businesses to enable that service to be delivered.  Where data sharing does occur, we ensure we comply with data protection laws and have in place a data sharing agreement.  We have specified in the relevant parts of this privacy notice when data sharing takes place and who we will be sharing your data with

On rare occasions we may need to share your personal data with another business if we are required to do so by law.  In such cases our legal basis for sharing your data is “necessary for compliance with a legal obligation we are subject to” (GDPR Article 6(1)(c)).


Using data processors

We sometimes use data processors to help us fulfil the delivery of our services or products to you.

When we do use other businesses to process personal data on our behalf (these are known as data pocessors) we ensure we have appropriate UK GDPR compliant contracts in place with each one. 

The data processor is not allowed to do anything with your personal data other than what we have instructed them to do with it. They will not share your personal data with any other business apart from us, unless they are required to do so by law. They will hold it securely and retain it for the period we instruct.

Our data processors include:

  • MS Office 365 – we use Microsoft Office to process and store information which includes personal data, this includes email;

  • Box Office System (hosted by Seat Geek) – used to process sales and tickets for events and to store customer contact details;

  • Artifax Event – we use this system to manage all our events we host;

  • Survey Monkey – we occasionally undertake surveys to help us improve our service;

  • Mailchimp – we store individual’s contact details on Mailchimp and send information, e.g. events, newsletters via this platform;

  • Paypal – used to process payment when you make an online monetary donation to us and for entry to our competition

  • IT maintenance and service – our IT contractor has access to our computer network and systems that contain personal data to undertake routine maintenance and deal with IT related problems;

  • Website development and hosting – our website developer hosts our website on our behalf, therefore they are able to access and see personal data captured on our website, including cookies;

  • Wix – used to process online entries to our International Young Artists Competition; and

  • Accountants – we use accountants to undertake our payroll and audit functions, they may see personal data of our customers in the course of the activities they undertake for us).


Transferring personal data outside of the UK and EU

Sometimes it is not possible for us to store or process your personal data wholly in the UK.  When your personal data does need to be transferred or stored outside of the UK we make sure we comply with the specific requirements set out in UK GDPR for us to undertake this.  We will only transfer personal data outside of the UK when one of the following provisions are in place to safeguard your personal data:

  • An “adequacy decision” is in place with the country where the personal data is being transferred to.  The UK has “adequacy regulations” in relation to the following countries and territories:

    • The European Economic Area (EEA) countries;

    • EU or EEA institutions, bodies, offices or agencies;

    • Gibraltar;

    • Countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020).

  • An “appropriate safeguard” as set out in UK GDPR is in place.  These include standard contractual clauses and binding corporate rules.

  • An “exception” as set out in UK GDPR can be relied on if there is no adequacy decision or appropriate safeguard in place. For example, we could rely on your explicit consent to make the transfer of personal data.

Personal data is transferred outside of the UK in the following circumstances:

Mailchimp

We use the marketing platform Mailchimp to store your contact details and other personal data which allows us to undertake our marketing activities.  Mailchimp is operated by The Rocket Science Group LLC, who are based in Georgia in the United States of America.  All our data on the Mailchimp platform is therefore transferred and stored in the USA.  We rely on Standard Contractual Clauses to undertake the transfer of personal data (GDPR Article 46(2)(c)

Wix.com

We use Wix.com Ltd for our online registration and application process for entry into the International Young Artists Competition and Young Composers Award on our website https://www.yorkcomp.ncem.co.uk/.  Data input onto our online application form may be processed and stored by Wix.com in the United States of America, in Israel and in Europe (including the Ukraine).  We rely on Standard Contractual Clauses to undertake the transfer of personal data (GDPR Article 46(2)(2) and the following exception:

Adequacy decision in place (GDPR Article 45)

Israel is one of the countries considered by the European Commission to be offering an adequate level of protection for the processing of personal data. 

Survey Monkey

We use Survey Monkey to undertake customer satisfaction surveys or other surveys related to the work we do.  Survey Monkey are based in California in the United States of America.  Completed surveys may therefore be transferred and stored in the USA.  We rely on Standard Contractual Clauses to undertake the transfer of personal data (GDPR Article 46(2)(c)

Microsoft Office 365

We use Microsoft Office 365 to process and store most of our information which will include some of your personal data.  Microsoft Office 365 is a product supplied by the Microsoft Corporation who are based in Washington in the United States of America.  It is possible that the information we process and store in Microsoft Office 365 may be transferred and stored on servers in the USA.  We rely on Standard Contractual Clauses to undertake the transfer of personal data (GDPR Article 46(2)(c)


NHS Test & Trace - Recording staff, customer and visitor details: how we use your information

To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we have been mandated by law to collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing.

By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.  As a visitor to our premises you will be asked to provide some basic information and contact details. The following information will be collected:

  • your full name;

  • a contact phone number; and

  • date of your visit and arrival time and departure time.

Additionally, we operate the Test & Trace check-in at our premises.  For those that don’t have the app to check-in when they arrive we operate a paper Test & Trace check-in system.  All paperwork is shredded after the required timeframe.

We are responsible for compliance with data protection legislation for the period of time we hold your information from the point of collection.  When that information is requested by the NHS Test and Trace service, they would at that point be responsible for compliance with data protection legislation for that period of time.

The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from us, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.

In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.

NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.

For example, if another customer at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).

Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.

However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would and as is set out in our main Privacy Notice which is published on our website.

Our lawful ground for using your information for NHS Test & Trace purposes is GDPR Article 6 (1) (c) – a legal obligation to which we as a venue are subject to. The legal obligation to which we are subject, means that we’re mandated by law, by a set of new regulations from the government, to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of corona virus.


Visitors to our website

In operating our website, www.ncem.co.uk, we use a third-party service, Google

Analytics, to collect and process standard internet log information about your visits to our

website and the resources that you access, including, but not limited to, traffic data, location

data, weblogs and other communication data all of which enables us to improve our services to you.  We are not able to identify anyone from this data.

For more information about cookies please read our Cookie Policy.


Children’s information

 We collect and process personal data relating to children in relation to the following services:

  • Young Composers Award

Links to other websites

Our website may provide links to websites of other organisations.   Our Privacy Notice does not cover how those organisations process your personal data when you visit their website.  We advise you to read their Privacy Notices. 

Changes to our Privacy Notice

We keep our Privacy Notice under review to ensure it remains accurate and up to date.  This Privacy Notice was last updated in April 2021.

PART 2
IF YOU USE OUR BOX OFFICE

What personal data do we need?

At the NCEM we need to collect the following information from you to order tickets and/or set up an account with us:

  • Title – required
  • Full Name (first and last name) – required
  • E-mail – required if you have booked a livestreamed concert; are setting up an online account; and when you have opted to receive e-news from us
  • Telephone – required for NHS Test & Trace purposes
  • Address incl. Postcode – required

Accounts can be set up either online, by telephone, in person at our booking office or by post.  If you set up an account online there is other personal data that you can voluntarily provide in the “Customer Details” section.  It will not affect the purposes of our processing activities if you do not want to provide the personal data in this section.

The NCEM does not hold any payment information about the ticket sale transaction.  Payment transaction information is held by Capita360/Global Payments who are our 3rd party payment partners.  They are data controllers in their own right for the data they process about the payment you make to book a ticket to one of our concerts

If you have booked to view one of our livestreamed concerts, we will add only your email address to a specific database that is connected to our website.  This allows you to watch the concert when it becomes available to view as it matches to the email address you enter into the webpage that contains the livestreamed concert.  We will delete your email address from this database at the end of the viewing timeframe, which in most cases is one month.  In addition to NCEM staff having the necessary access to this database our web designer has access to this data for the purposes of providing web hosting and storage support to us.

What we use your personal data for

We collect and use your personal data for the following purposes:

  • to provide you with tickets and key information about event bookings you have made;
  • to provide access to our livestreamed concerts;
  • to inform you of upcoming events you may be interested in; and
  • to analyse ticket sales.

To provide you with tickets and key information about the event booking you have made

When you have made a booking, we will send you the ticket(s) either electronically to the email address you have provided or in the post to the address you have provided.

You may also receive an e-welcome email from us before the event which gives you useful information, such as parking arrangements and anything you need to be aware of about the venue and event.

Our legal basis for this processing is Article 6(b) of GDPR – contractual obligation in relation to the sale of tickets. Failure to provide the required information necessary for the purchase of tickets will mean we are unable to sell a ticket to you.

Our legal basis for processing any accessibility needs about you is Article 9(2)(a) of GDPR – we will seek your explicit consent to process this type of personal data.

To inform you of upcoming events you may be interested in

We like to keep you informed of our upcoming events which we currently do by postal marketing or email marketing.

Our legal basis for this processing is Article 6(f) of GDPR – legitimate interests.  GDPR allows us to use legitimate interests for direct marketing purposes.  We have undertaken a legitimate interest assessment, which balances our business purposes for the processing against your right to privacy and the outcome justifies our use of legitimate interests for this purpose. 

It is not an unreasonable expectation for customers who have either enquired about our events, have set up an account with us or have purchased tickets to our events to receive information about our upcoming events.  This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations, (which governs how a business can undertake electronic direct marketing) and allows us to use soft opt-in for marketing for prospective and existing customers.

We always give you the opportunity to object to receiving marketing communications from us, when we first collect your personal data and with every marketing communication thereafter.

You can change your marketing preferences at any time by:

  • Clicking on the unsubscribe button in our marketing emails;
  • Using the “Data Protection” tab under “Personal Details” in your online account;
  • Telephone us on 01904 658338;
  • Write to us at The National Centre for Early Music, St Margaret's Church, Walmgate, York YO1 9TL; or
  • Pop in to see us at the above address

To analyse tickets sales

We analyse our ticket sales for the following reasons:

  • to provide analytical data to the Arts Council for funding purposes;
  • to provide analytical data to City of York Council and East Riding of Yorkshire Council for funding purposes; and
  • to undertake our own seasonal analysis of ticket sales. We review the spread of ticket sales by geographical location and the type of events people are buying tickets for.

For us to receive funding from the Arts Council, which is vital to the running of NCEM, we must provide them with analytical data of our ticket sales.  This is part of our contractual arrangements with the Arts Council.  This data is gathered from our box office system by a plug-in tool called Audience Finder (provided by The Audience Agency).  The data gathered is by geographical location of the first part of a post-code only.  No personal data about identifiable individuals is gathered as part of this analytical reporting.  Currently the NCEM does not use the data that has been gathered by Audience Finder for any other purposes than to send to the Arts Council.

Our legal basis for undertaking analytical reporting is Article 6(f) of GDPR – legitimate interests.  It benefits the NCEM to receive vital funding to allow us to continue operating and providing music events and it benefits individuals as we can provide music events that are of particular interest to them.

Recipients of the personal data

The NCEM sometimes sell tickets on behalf of other organisations which can be for their events held at the NCEM venue or other non-NCEM venues across the country.  We therefore need to share your personal data with these third-party organisations so that they can run the event for which the tickets have been purchased and fulfil the booking order.  They may also use your personal data for marketing purposes.  We advise you to read their Privacy Notices to understand what they will do with your personal data.

The third-party organisations who we currently act as ticket agent for are:

  • Black Swan Folk Club
  • Please Please You
  • Revolver Productions
  • Sam Johnson Music
  • The Ebor Singers
  • The University of York
  • Yorkshire Bach Choir
  • York Chamber Music Festival
  • York Opera

For you to purchase a ticket online you will be transferred to our 3rd party payment partners, Capita360 and Global Payments, who will process the payment booking on our behalf.

We also share non-identifiable data, based on first part of postcode only, for funding purposes to:

  • The Arts Council
  • City of York Council
  • East Riding of Yorkshire Council

Retention of information

We keep information relating to ticket sales for 7 years after the most recent booking.

We keep analytical information for 4 years. 

Do we use any data processors?

Yes, we use the following data processors to deliver our service to you:

Seat Geek are our ticketing website host.  All data processed on the ticketing website is stored on Seat Geek’s servers which are located in the UK (including their back-up server).  Seat Geek are able to access and see this data purely for maintenance and service purposes only.

PART 3
IF YOU ENTER OUR YOUNG COMPOSERS AWARD
 

What personal data do we need?

Our registration process is an online process and when you register to enter the Young Composers Award you will need to provide us with the following personal data:

  • Full name
  • Email address
  • Age category (from an automatic drop down menu – options are 18 years and under, or 19-25)

After registering to enter the Awards you will be sent a link to an online application form where we will collect the following personal data:

  • Name
  • Title of the Piece
  • Email address
  • Age at submission date
  • Date of birth
  • Postal address
  • Telephone number
  • Educational institution (if applicable)
  • If under 18 – the name and email address of your parent/guardian, their email address and the relationship to you.

How do we get your personal data?

We gather your personal data directly from you at the point of registration and when you submit the application form, both of which are an online process.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to:

  • process your registration to enter the Young Composers Award, which includes sending you reminders of the deadline to submit your score;
  • process the score you submit as your entry;
  • inform you of whether or not your score has been shortlisted;
  • arrange shortlisted candidates’ attendance at a workshop and evening performance;
  • judge and decide a winning score from the shortlisted candidates;
  • arrange attendance of the winners at the concert where their winning piece will be performed; and
  • anything else that specifically relates to processing your personal data for the Young Composers Award.

We also like to:

  • inform past winners and finalists of new opportunities (both organised by NCEM or other arts organisations), to publicise your successes and to keep you informed of future Young Composers Awards; and
  • inform all registrants of future Young Composers Awards.

The legal bases we rely on are:

Contractual obligation (GDPR Article 6(1)(b))

The data we obtain to process your application and entry to the Young Composers Award are necessary for the performance of a contract to which you are subject to.  You must always abide by the rules as set out in the terms and conditions for the Award.

We require certain information from you to enable us to fulfil our pre-contractual (registration stage) and contractual obligations (score entry and judging stage).  If you are not able to provide all the necessary information we need we may not be able to process your registration and submission to the Young Composers Award.

Legitimate interests (GDPR Article 6(1)(f)

We rely on legitimate interests to send you information about our future Young Composers Awards, to notify winners and finalists of new opportunities (both organised by NCEM or other arts organisations) and to promote the winners success.

GDPR allows us to rely on legitimate interests for direct marketing purposes. 

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake direct marketing against your right to privacy.  The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for anyone who enters the Young Composers Award to have their personal data processed in this way.

This also complies with UK e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to consumers. 

You always have the opportunity to object to us processing your personal data in this way, both when we first collect your personal data and with every communication we have with you thereafter.  You can change your marketing preferences at any time by contacting us via one of the ways shown in the “Our contact details” section.

Who do we share your personal data with?

The Young Composers Award is run in association with BBC Radio 3.  As our award partner the BBC sees the personal data of the winner.  The BBC does not usually see the personal data of other entrants; however, they do have the right to ask for these details should they require them as part of the award process.  The BBC retains the personal data of the winner of the award for 2 years.  The BBC is a separate data controller of your personal data for this purpose, for further information on how the BBC process your personal data please read their privacy notice on their website http://www.bbc.co.uk/usingthebbc/privacy/privacy-policy

How long do we keep your personal data?

We keep your personal data for the following periods of time:

  • We retain permanently for all registrants your name and year of application.
  • We retain permanently the music scores of finalists.
  • All application forms and scores of non-finalists are destroyed within 6 months of  the judging of the award.
  • We retain registrants email addresses for as long as you want to receive news about future Young Composer Awards.

We retain fully anonymised data for our own internal analysis and trend reporting, this data includes geographical data and age-range data.

Do we use any data processors?

 Yes.  We use the following data processors:

  • com – host providers of the online entry and application platform.
  • Mailchimp - used to store your contact details and to send you information about future Young Composers Awards
  • MS Office 365 – to store data and send emails to and from all registrants of the Young Composers Award.

PART 4
IF YOU ENTER OUR INTERNATIONAL YOUNG ARTISTS COMPETITION

What personal data do we need?

When you apply online to enter the International Young Artists Competition, we will collect the following information from you:

Ensemble nominated lead contact:
• Full name
• Postal address
• Email address
• Mobile number

Each member of the ensemble:

• Full name
• Age
• Date of birth
• Nationality
• Proof of ID (e.g. scan of ID card, passport)

Other information:

• current and/or main teachers
• courses and conservatoires attended
• an unedited video recording of the ensemble playing
• details of your recording
• programme details for the informal and competition recitals
• biography of the ensemble
• letter of recommendation from a prominent personality in musical life
• two recent photographs of the ensemble

How do we get your personal data?

We gather your personal data directly from you when you submit your online application to take part in the International Young Artists Competition. Note - Your application may have been completed by the nominated lead of the ensemble.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to:

• process your online entry in the International Young Artists Competition;
• undertake the initial selection process (based on video recording submitted);
• inform you of whether or not you have been shortlisted;
• provide feedback to unsuccessful applicants
• invite finalists to the competition and arrange for finalists attendance at a reception, rehearsals, informal recitals and competition day;
• judge and decide a winning ensemble from the finalists; and
• anything else that specifically relates to processing your personal data for the International Young Artists Competition.

We also like to:

• inform past winners and finalists of new opportunities (both organised by NCEM or other arts organisations), to publicise the finalists’ successes and to keep you informed of future International Young Artists Competitions; and
• inform previous applicants of future International Young Artists Competitions.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))
The data we obtain to process your application and entry to the International Young Artists Competition are necessary for the performance of a contract which you are subject to. You must abide by the rules of the competition at all times.

We require certain information from you to enable us to fulfil our pre-contractual (application stage) and contractual obligations (initial selection stage and finalists’ stage). If you are not able to provide all the necessary information we need we may not be able to process your application to enter the International Young Artists competition.

Legitimate interests (GDPR Article 6(1)(f)
We rely on legitimate interests to send you information about our future International Young Artists Competitions, to notify winners and finalists of new opportunities (both organised by NCEM or other arts organisations) and to promote their success.

GDPR allows us to rely on legitimate interests for direct marketing purposes.

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake direct marketing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for anyone who enters the International Young Artists Competition to have their personal data processed in this way.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to consumers.

You always have the opportunity to object to us processing your personal data in this way, both when we first collect your personal data and with every communication we have with you thereafter. You can change your marketing preferences at any time by contacting us via one of the ways shown in the “Our contact details” section.

Who do we share your personal data with?

Your personal data are only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

We will share the winners contact details with Linn Records to enable the production of the CD.

BBC Radio 3 record the competition final for editing for future broadcast.

How long do we keep your personal data?

We keep your personal data for the following periods of time:

• We retain permanently for all entrants your name and year of application.
• All application forms and copies of passports/IDs, etc. are destroyed after the final day of the competition.
• We retain entrants email addresses for as long as you want to receive news about future International Young Artists Competitions

We retain fully anonymised data for our own internal analysis and trend reporting, these include geographical data and age-range data.

Do we use any data processors?

Yes. We use the following data processors:

• Wix.com – used to process your online application form to the competition
• Paypal – to process your entry fee to the competition
• Mailchimp - used to store your contact details and to send you information about future competitions
• MS Office 365 – to store data and send emails to and from entrants of the competition

PART 5
IF YOU HIRE OUR VENUE

What personal data do we need?

You can hire our venue for conferences or meetings, weddings or parties, corporate functions, and concerts or lectures. Depending on the type of function you are hiring our venue for we will need some or all of the following personal data:

• Contact name of person making booking
• Address of person making booking
• Organisation name and address
• Position of contact person in organisation
• Telephone number of person making booking
• Email address of person making booking
• Lecturers/performers names

We will also need information relating to the booking which includes but is not limited to space required within NCEM venue, type of function, date, time, number of delegates or expected number of guests, accessibility requirements, room layout, additional equipment and services, planned event timings (e.g. guest arrival times, bar open times, food served times, etc), details of event (content, number of performers).

How do we get your personal data?

We get the personal data of the person making the booking directly from the individual when they contact us to make all the arrangements.

We also obtain personal data of an individual who has enquired about our venue via a third-party venue site, such as hitched.com, UKBrides, forbetterforworse.com and for conferences via VisitYorkforMeetings, and other venue directories

If names of lecturers or performers are provided these have been given to us by the person making the booking.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to

• process the booking for hiring our venue;
• liaise with you about the booking to ensure everything runs smoothly at the event; and
• submit and receive payment from you for the booking.

We will also send an invite to brides and grooms who have enquired about our venue in the preceding 6 months to a wedding fair that we hold every year at NCEM.

The legal basis we rely on for providing a venue to hire is:

Contractual obligation (GDPR Article 6(1)(b))
The data we obtain to process your booking to hire our venue is necessary for the performance of a contract to which you are subject to.

We require certain information from you to enable us to fulfil our pre-contractual (request for venue hire details) and contractual obligations (provision of venue and facilities). If you are not able to provide all the necessary information we need we may not be able to process your booking request and you may not be able to hire our venue and facilities.

Legitimate interests (GDPR Article 6(1)(f))
We rely on legitimate interests to contact brides/grooms who have enquired about our venue for their wedding to invite them to our annual wedding fair.

GDPR allows us to rely on legitimate interests for direct marketing purposes.

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake this type of direct marketing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for individuals who have made enquiries with us about hiring our venue for a wedding to receive information from us about an event that specifically relates to the reason they want to hire our venue.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to businesses and consumers.

You always have the opportunity to object to us processing your personal data in this way. You can contact us via one of the ways shown in the “Our contact details” section to inform us that you do not want us to collect and process your personal data for this purpose.

Who do we share your personal data with?

Your personal data is only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

If we source the catering for you, we only provide your organisation name, numbers and dietary requirements to the caterers. We do not give your personal data or the personal data of attendees/delegates to the caterers.

How long do we keep your personal data?

We keep all information relating to hiring our venue for 6 years from the end of the financial year the event took place.

Do we use any data processors?

Yes, we use the following data processors:

• Artifax Event – to manage our event planning, room bookings and resource scheduling requirements.
• MS Office 365 – to store and process emails and documentation.

PART 6
IF YOU JOIN ONE OF OUR MEMBERSHIP SCHEMES

What personal data do we need?

To become either a Festival Friend or NCEM Patron we need to collect the following personal data about you:

• Full name
• Postal address
• Email address
• Telephone number (landline or mobile)
• Membership scheme you wish to join
• Amount of any additional donation you wish to make
• Payment for the membership scheme you wish to join (cheque, standing order or payment via our Box Office)
• Gift Aid declaration (where applicable)

How do we get your personal data?

We gather your personal data directly from you when you complete and submit your application to join one of our membership schemes.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to:

• process your application to become a Festival Friend or NCEM Patron;
• invite you to events included with your membership package; and
• keep in touch with you throughout the year.

The legal basis we rely on are:

Consent - GDPR Article 6(1)(a)
By submitting your application form to become a member you are consenting to us using your personal data for this purpose. The membership includes some of the following:
• receiving advance copies of our festival brochure and priority booking;
• notification of NCEM events;
• reserved seating; and
• invitations to attend exclusive events.

By joining one of our membership schemes we will send relevant information to you about our events even if you have previously opted out of receiving marketing through the Box Office.

You always have the right to withdraw your consent to being a member, you can do this by contacting us via one of the methods shown in the “Our contact details”.

Who do we share your personal data with?

Your personal data is only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We retain membership information for 6 years from the end of the financial year to which they relate to.

Do we use any data processors?

Yes. We use the following data processors:

• Box Office System (hosted by Seat Geek) – used to store all details of Festival Friends and NCEM Patrons;
• Mailchimp – used to store the contact details of all Festival Friends and NCEM Patrons, we may contact you, via Mailchimp, to remind you about your renewal or to let you know about events associated with your membership;
• MS Office 365 Email – used to send emails to Festival Friends and NCEM Patrons to remind you about your renewal or to let you know about events associated with your membership;

What personal data do we need?

You can hire our venue for conferences or meetings, weddings or parties, corporate functions, and concerts or lectures. Depending on the type of function you are hiring our venue for we will need some or all of the following personal data:

• Contact name of person making booking
• Address of person making booking
• Organisation name and address
• Position of contact person in organisation
• Telephone number of person making booking
• Email address of person making booking
• Lecturers/performers names

We will also need information relating to the booking which includes but is not limited to space required within NCEM venue, type of function, date, time, number of delegates or expected number of guests, accessibility requirements, room layout, additional equipment and services, planned event timings (e.g. guest arrival times, bar open times, food served times, etc), details of event (content, number of performers).

How do we get your personal data?

We get the personal data of the person making the booking directly from the individual when they contact us to make all the arrangements.

We also obtain personal data of an individual who has enquired about our venue via a third-party venue site, such as hitched.com, UKBrides, forbetterforworse.com and for conferences via VisitYorkforMeetings, and other venue directories

If names of lecturers or performers are provided these have been given to us by the person making the booking.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to

• process the booking for hiring our venue;
• liaise with you about the booking to ensure everything runs smoothly at the event; and
• submit and receive payment from you for the booking.

We will also send an invite to brides and grooms who have enquired about our venue in the preceding 6 months to a wedding fair that we hold every year at NCEM.

The legal basis we rely on for providing a venue to hire is:

Contractual obligation (GDPR Article 6(1)(b))
The data we obtain to process your booking to hire our venue is necessary for the performance of a contract to which you are subject to.

We require certain information from you to enable us to fulfil our pre-contractual (request for venue hire details) and contractual obligations (provision of venue and facilities). If you are not able to provide all the necessary information we need we may not be able to process your booking request and you may not be able to hire our venue and facilities.

Legitimate interests (GDPR Article 6(1)(f))
We rely on legitimate interests to contact brides/grooms who have enquired about our venue for their wedding to invite them to our annual wedding fair.

GDPR allows us to rely on legitimate interests for direct marketing purposes.

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake this type of direct marketing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as it would not be an unreasonable expectation for individuals who have made enquiries with us about hiring our venue for a wedding to receive information from us about an event that specifically relates to the reason they want to hire our venue.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to businesses and consumers.

You always have the opportunity to object to us processing your personal data in this way. You can contact us via one of the ways shown in the “Our contact details” section to inform us that you do not want us to collect and process your personal data for this purpose.

Who do we share your personal data with?

Your personal data is only used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

If we source the catering for you, we only provide your organisation name, numbers and dietary requirements to the caterers. We do not give your personal data or the personal data of attendees/delegates to the caterers.

How long do we keep your personal data?

We keep all information relating to hiring our venue for 6 years from the end of the financial year the event took place.

Do we use any data processors?

Yes, we use the following data processors:

• Artifax Event – to manage our event planning, room bookings and resource scheduling requirements.
• MS Office 365 – to store and process emails and documentation.

PART 7
IF YOU MAKE A DONATION TO US

What personal data do we need?

If you make either a one off or regular donation to NCEM we need to collect the following personal data about you:

Donation made via our website (Paypal)
• Name
• Address
• Telephone number
• Email address
• Amount donated
• Gift Aid (where applicable)

Donation made in person, phone or online either by cheque, debit/credit card, bank transfer, or cash (input to our Box Office System)
• Name
• Address (only required for Gift Aid purposes)
• Amount donated
• Debit/Credit details if payment made this way
• Gift Aid (where applicable)

How do we get your personal data?

We gather your personal data directly from you when you make a donation to us.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to process and administer your donation to us. This may include contacting you to invite you to a performance or a reception related to the activity you have supported.

The legal basis we rely on are:

Consent - GDPR Article 6(1)(a)
By making a donation to us you consent to us using your personal data for the purpose of us administering the donation and partaking and celebrating the donation.

You always have the right to withdraw your consent for us to use your personal data for this purpose, you can do this by contacting us via one of the methods shown in the “Our contact details”.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

We will share Gift Aid information with HMRC.

How long do we keep your personal data?

We retain donation information and gift aid forms for 6 years from the end of the financial year to which they relate to.

Do we use any data processors?

Yes. We use the following data processors:

• Paypal – used to process online donations
• Box Office System – to store information about donations made

PART 8
IF YOU ARE ONE OF OUR SPONSORS

(TRUSTS AND FOUNDATIONS / CORPORATE PARTNERS)

What personal data do we need?

• Your organisation name;
• The name (first and last name) of the person who we are liaising with at your organisation (in some cases this may be several staff members details);
• Organisation postal address;
• Organisation email address;
• Organisation telephone number;
• Organisation mobile number;
• Any other information you feel is relevant for the purposes of the processing.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We will obtain your personal data when we apply for funding from your organisation.

We may also obtain personal data of potential corporate sponsors from business networking events or we may have an existing relationship with you.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need the personal data to allow us to process the funding application we are apply for and to meet any funding conditions or sponsorship agreements that are imposed on us.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))
We will process your personal data to meet any pre-contractual obligations we have with you in relation to our funding application and any contractual obligations we have when the funding is in place.

We may require certain information from you to enable us to fulfil our pre-contractual and contractual obligations. If you are not able to provide all the necessary information we need we may not be able to consider or appoint you as one of our sponsors.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We retain information relating to funding and sponsorship for 6 years from when the funding or sponsorship expires.

Do we use any data processors?

• Microsoft Office 365 – to store and process our information

PART 9
IF YOU JUST WANT TO RECEIVE OUR EVENT INFORMATION & NEWSLETTERS

What personal data do we need?

For us to send you information about our events, festivals, and general updates on the work we do, we need the following personal data about you:

• Full name
• Email address
• Postal address

How do we get your personal data?

We obtain your personal data directly from you when you instruct us to add you to our mailing list, this can be done in person at our box office; by phone; by email; or by clicking the subscribe button on our website.

We also obtain personal data indirectly, from publicly available sources, of music teachers/professors, professional composers, heads of schools, etc.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to be able to send you details of our events and updates that you have subscribed to receive.

We need the contact details of music teachers/professors, professional composers, heads of schools, etc. so that we can contact you to promote to your students our Young Composers Award and International Young Artists Competition.

The legal basis we rely on is:

Consent (GDPR Article 6(1)(a)
By submitting your contact details to receive marketing from us you have given your consent for us to use your personal data for this purpose.

You always have the right to withdraw your consent to receive marketing, you can do this by clicking the “unsubscribe” link in the marketing email you receive.

Legitimate interests (GDPR Article 6(1)(f)
We rely on legitimate interests to collect the contact details of music teachers/professors, professional composers, heads of schools and conservatoires, etc. to be able to send you information about our Young Composers Award and International Young Artists Competition so that you can promote these to your students.

GDPR allows us to rely on legitimate interests for direct marketing purposes.

Additionally, we have undertaken a legitimate interest assessment, which balances our business purpose to undertake this type of direct marketing against your right to privacy. The outcome of the balancing test justifies our use of legitimate interests for this purpose as we do not believe it would be an unreasonable expectation for music professionals to receive information about our Young Composers Award and International Young Artists Competition. There is a clear benefit for you and your students to be aware of these prestigious events, for individuals and music ensembles to showcase their compositions and musical talents. A potential risk of us not contacting you is you may never become aware of the events.

This also complies with e-Privacy laws, currently the Privacy & Electronic Communication Regulations 2003, which governs how a business can undertake electronic direct marketing to businesses and consumers.

You always have the opportunity to object to us processing your personal data in this way. You can contact us via one of the ways shown in the “Our contact details” section to inform us that you do not want us to collect and process your personal data for this purpose.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We retain your contact details for as long as you want to receive information about our events and the work we do.

Do we use any data processors?

Yes, we use the following data processors:

• Box Office System – to store your contact details and marketing preference
• Mailchimp - used to store your contact details and to send you newsletters or information about future events

PART 10
IF YOU APPLY FOR A JOB WITH US

What personal data do we need?

When you apply for a job with us you will need to provide some or all of the following information as part of the job application process:

• Full name
• Postal address
• Telephone number
• Mobile number
• Email address
• Equal opportunities information (which includes age, disability, gender, religion, sexual orientation, ethnic group, relationship status, caring responsibility) – voluntary
• Education history
• Qualifications
• Employment history
• Whether you hold a UK work permit
• References

How do we get your personal data?

We collect information directly from you when you submit your application form and/or CV to us.

We will also collect information about you from your referees as you progress down the recruitment process.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data to be able to process your application for a job with us, which includes, but is not limited to:

• assessing your suitability for the role applied for;
• making a decision on whether your application progresses to the next stage of the recruitment process (sifting and shortlisting);
• inviting you to interview or tests;
• making a decision on whether or not to appoint you to the role applied for;
• obtaining further information in order to carry out pre-employment checks if we make a conditional offer of employment to you; and
• gathering of information for equal opportunities monitoring

The legal basis we rely on to undertake our recruitment activities includes:

Contractual obligation (GDPR Article 6(1)(b))
The processing of your job application is necessary in order for us to take steps at your request before entering into a possible employment contract with us.

We require certain information from you to enable us to fulfil our employment pre-contractual and contractual obligations. If you are not able to provide all the necessary information we need we may not be able to process your application and consider you for one of our job vacancies.

Legal obligation (GDPR Article 6(1)(c))
We have certain obligations under employment law in relation to recruitment and selection and equal opportunities that we must comply with.

Processing for employment law (GDPR Article 9(2)(b))
Information you provide to us that relates to special category personal data, such as health, religious or ethnic information is necessary for our recruitment and selection purposes as it relates to our obligations in employment law.

Processing to assess working capacity (GDPR Article 9(2)(h))
We have certain obligations to assess your health in relation to your ability to work for us.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

Do we use any data processors?

We do not use any data processors for the purpose of recruitment and selection.

How long do we keep your personal data?

All unsuccessful candidate details are kept for 6 months from the end of the recruitment process they relate to.

Successful candidate details are transferred to their employment record and kept for 6 years after employment ends.

PART 11
IF YOU ARE ONE OF OUR VOLUNTEERS

What personal data do we need?

If you would like to volunteer and help us with the work we do we will need to collect the following personal data from you before you become a volunteer:

• Full Name
• Home address
• Contact details (such as telephone, mobile, email address)
• Date of birth
• Emergency contact details
• Health issues we may need to be aware of
• Personal evacuation emergency plan details
• Any other personal data you give to us that you feel is relevant for us to know

How do we get your personal data?

We gather your personal data directly from you when you complete our volunteer record form.

Why do we need your personal data and which legal basis do we rely on for the processing?

We need your personal data so that we can assign volunteer duties to you so you can contribute to the activities of NCEM.

Our legal basis for the processing is:

Consent - GDPR Article 6(1)(a)
By volunteering with us you are consenting to us processing your personal data for this purpose.

You always have the right to withdraw your consent to being a volunteer and can decide at any time that you no longer wish to be a volunteer for our charity. Should you wish to stop being a volunteer please notify our Operations and Events Manager.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

How long do we keep your personal data?

We keep volunteer records for 6 years from when our relationship with you ends.

Do we use any data processors?

Yes, we use the following data processors:

• Artifax Event – to store contact details
• Microsoft Office 365 – to store and process our information

PART 12
IF YOU ARE ONE OF OUR SUPPLIERS OR CONTRACTORS

What personal data do we need?

For us to pay you for the service or goods you have provided to us we need to collect and use a small amount of information about you and your business, this is also likely to include some information about the individuals who work at your business. The information we are likely to need is:

• Your business name;
• The name (first and last name) of the person who we are liaising with at your business (in some cases this may be several staff members details);
• Business postal address;
• Business email address;
• Business telephone number;
• Business mobile number;
• Bank details to enable payment to be made;
• Names, address and dates of birth of contract staff and artists/musicians who deliver education projects on our behalf; and
• Any other information you feel is relevant for the purposes of the processing.

We do not collect any of the special categories of personal data.

How do we get your personal data?

We obtain your data directly when we start to use your services or have purchased goods from you. We gather the relevant information from you to enable us to process payment to you for those services and goods.

We also obtain some data, such as your business name and contact details, indirectly from publicly available sources or recommendations from 3rd parties to enable us to contact you to enquire about the services and goods you provide prior to us making a purchase.

Why we need your personal data and the legal basis we rely on for the processing

We need your personal data to either enquire about the services or goods you provide that we may be interested in purchasing or to make a purchase. We then use your personal data to pay for those goods and services when you invoice us or to raise any queries about the payment.

We also need to undertake DBS checks for contract staff and artists/musicians who we use for education projects. We will use your name, address and date of birth to check your status on the DBS system. We only retain the DBS number and date of checking.

The legal basis we rely on are:

Contractual obligation (GDPR Article 6(1)(b))
The services or goods you have provided to us are done so under contract or with a view to entering into a contract (i.e. we have asked you for a quote for the goods or to undertake the service for us).

We require certain information from you to enable us to fulfil our part of the pre-contractual and contractual obligations, e.g. we need to have certain information to make the purchase and to process payment. If you are not able to provide all the necessary information for us to do this, we will not be able to purchase the goods or services you provide or be able to make payment once purchased.

Legal obligation (GDPR Article 6(1)(c))
We have a legal obligation to pay for any services or goods we have purchased.

Who do we share your personal data with?

Your personal data is used by internal employees and contract staff for the purposes as set out in “why we need your personal data”.

Our Accountant will see personal data relating to suppliers and any payments we make.

Invoices may be shared with our grant funders as evidence of expenditure.

How long do we keep your personal data?

We keep all financial data (which includes supplier information) for 6 years from end of the financial year it relates to.