Enter CIC is registered with the Information Commissioner’s Office to process personal data. Enter CIC is a data controller. 

Registration Number: Z2486288.

Our personal information management procedures are GDPR compliant. GDPR = General Data Protection Regulation, the new law that helps to keep your personal information safe. When referencing GDPR, we also include references to the new Data Protection Act 2018 and UK GDPR. We process personal information under a lawful basis of: Legitimate interests.

Contacting Enter CIC, the Data Controller 

If you wish to contact us regarding your personal information, you can do so at info@entercic.org, or use the details on our  contact page. Before we begin processing your request we will always request to check your identity and any claim of representation you make for access to personal information.

If you are not satisfied with our response you can contact the Information Commissioner’s Office (ICO).

Personal information we need

Enter CIC collects basic personal data about our students and exam candidates, as well as their parents/carers.

We collect minimal personal information about our visitors to our buildings (see CCTV below) and website.

We collect basic contact details from those who buy tickets to our performances.

We collect personal information about our staff and volunteers.

We collect personal data of exam candidates and some of this information may be shared with exam boards and other agents to process examinations and subsequent reporting and certification. We may have information shared with us by candidates’ learning provider (such as name, exam taking, grades and other information to facilitate our candidate’s exam submission.

We collect personal information of people who engage with our projects, competitions, social media campaigns and seasonal events.

We process personal information relating to schools and other organisations with which we work alongside, in partnership or as a service or product provider.

All personal data we collect is volunteered by the owner of the information or their authorised representative (parent). Usually, this will be on our enrolment form, Image Processing Consent Form, web forms and any other permission forms we use for bespoke trips and visits and performances. It may also include forms determined for our use under a contractual arrangement with a local authority.

Typically, we collect name, address, date of birth, some contact details, as appropriate, and other information that allows us to provide the best service.

We do not process any sensitive information (known as Special Category Information) unless this is required to safeguard our staff, volunteers, students, parents, participants and visitors (such as medical information).

Why we need personal information

Students and candidates
We need to know students’ personal information to provide learning programmes and cultural, creative and examination opportunities for our students and other persons who engage with our services.

Parents and carers
We also need to collect the personal information of parents and carers (especially of students or candidates under 18) to contact them in certain situations (administrative, safeguarding and updates).

Project Participants and Funders
We need to process personal information relating to project participants to ensure that we are meeting the requirements of public or private funding.

Staff and volunteers
We need to process personal information about our staff and volunteers for general administrative purposes. This may include financial information and information related to the Disclosure and Barring Service (DBS), the right to work in the UK, etc.

We do not collect any personal data that we do not need.

Privacy information we give to you

We give you privacy information in a number of ways; in writing, orally, in signage and electronically.

This can be at the time we collect personal information, before you give personal information, enter an area, in signs or symbols and on our website.

We hope our signage is clear, well-positioned and gives you the information you need in an accessible format you can understand.

Please let us know if this is not the case.

Is personal information safely handled?

All the personal data we process is processed securely by our GDPR-trained staff in the UK.

Our website’s IT servers are also in UK data centres, so personal data is not shared internationally (see ‘Marketing information’ below).

No third parties or unauthorised personnel have access to personal data at Enter, unless the law allows them to access it, or we must share it to safeguard staff, volunteers, students, parents and visitors, or in line with our legal duty to share information.

Where we do share personal information, this is done using the most secure methods available to us.

Sharing personal information


Sometimes we need to share personal information with other organisations to carry out a legal obligation, such as make sure candidates are registered with exam / awarding bodies and ensuring volunteers, tutors and chaperones are suitably qualified and DBS-checked, as applicable.


We may also share personal information with local authorities or other parties such as funders who may have supported project which benefit schools and the local and wider community. There may be occasions when a contractual obligation requires us to share personal information.

Sometimes a condition of funding is that we share photographs with funders to prove the project took place. Our funders may display images we have taken on their website or social platforms to show the good projects to which they have provided financial and other support.


We may also share personal information with agencies to protect the interests of our business, our customers and related parties.


Where appropriate, when sharing personal information with others as a data controller or data processor, we have a GDPR-compliant Data Sharing Agreements in place to protect personal information.

How long we keep personal data?

We may be required to retain personal information under certain laws, but, we will not keep personal data for longer than we need it.

Our CCTV system holds personal data for 30 days.

Deleting personal information

When it comes time to delete personal information (if we’re asked to delete it, or if we no longer need to keep it), we always delete it securely, in line with the GDPR.

We also use certified confidential disposal services where necessary.

There may be some exemptions that require us to keep personal information for certain periods of time, even if we receive a request to delete it.

Marketing information

Personal information that is used for marketing purposes will be kept with us until we no longer need it, or you notify us that you no longer wish to receive this information.

Sometimes, with permission, we take pictures of our staff, volunteers, students, parents/carers and patrons and post them to social media.

The online servers of Facebook, Twitter and Instagram (on which these images are held) may be outside the UK, but within the European Economic Area (Ireland).

We may use your name and email address to inform you of our future projects, offers or opportunities.

We may use a third-party service such as MailChimp, which is a GDPR-compliant service.

This information is not shared with other third parties and, after subscribing, you can unsubscribe at any time by contacting us, or using the links in the electronic communication we send.

We work hard to ensure our practices fall within the legal scope of the Privacy and Electronic Communications Regulation (PECR). If you feel we have fallen short of our usual high standards in terms of marketing communications, please get in touch.

What we don’t need

We rarely need sensitive details such as financial and medical information, except where this concerns payment of invoices, payment via our Point of Sale device, or the welfare of those using our services and buildings.

You are always free to ask us why we need certain information and it is your right to refuse the request, but it may affect the level of service we can provide.

What we will never do

We will never sell your personal information, or share it with a third party without your consent.

We will never give unauthorised access to your personal information.

We will never use it for any purposes that you have not agreed to, or for purposes that do not appear in this statement.

What we don’t process at all

We don’t process bio metric information.

Point of Sale (POS) Processing 

We do collect financial information through our Point of Sale system. If you choose to pay for our services or products via Credit or Debit Card to our secure Point of Sales device/system, we will collect financial information related to that particular transaction.

This may include setting up a limited customer profile on our payment system, which ensures that we are processing only the personal information you give us.

It allows us to process future payments more quickly and conveniently for you.

We will only keep this information for as long as we need it.

Our system fully supports your privacy rights in relation to access, correction (rectification), deletion (right to be forgotten), objection to profiling, restriction of processing or portability of your personal information.

TicketSource (online ticket purchasing for events) 

When payment is made for tickets via our TicketSource portal, we do not collect financial information, only name and contact information.

Such financial information is retained on secure servers by TicketSource and we cannot access it.

You can find more helpful information here:   https://www.ticketsource.co.uk/kb/terms-of-use. TicketSource is GDPR-compliant.


We may collect your browsing information to help us understand what content or pages visitors to our website find useful.

We only collect this information with your consent and do not automatically collect your browsing data before consent.

Use the Cookie Control link in the bottom of our website to manage your cookie settings.

What are your rights? 

You can ask to see a copy of any of your personal information we may be processing. If we are processing your personal data, we will let you know without undue delay and within one month and give you a copy of that data, if that’s what you wish.

If at any point you believe the information we process about you is incorrect, you can request to have this corrected or deleted.

You can also ask us to stop processing your personal data.

Submit a request.


We use CCTV for the safety and security of our staff, students and customers, as well as our property.

Our CCTV systems can take the form of static cameras on the external and internal areas of our building, as well as on-body or mobile cameras where we see a criminal offence taking place (or imminent) or where a person or persons may be at risk of harm.

We do not keep CCTV images for longer than 30 days.