Privacy Statement

• Enter CIC collects basic personal data about our students and exam candidates, as well as their parents/carers.
• We collect minimal personal information about our visitors to our buildings (see CCTV below) and website.
• We collect basic contact details from those who buy tickets to our performances.
• We collect personal information about our staff and volunteers.
• We collect personal data of exam candidates and some of this information may be shared with exam boards and other agents to process examinations and subsequent reporting and certification. We may have information shared with
  us by candidates’ learning provider (such as name, exam taking, grades and other information to facilitate our candidate’s exam submission.
• We collect personal information of people who engage with our projects, competitions, social media campaigns and seasonal events.
• We process personal information relating to schools and other organisations with which we work alongside, in partnership or as a service or product provider.
• All personal data we collect is volunteered by the owner of the information or their authorised representative (parent). Usually, this will be on our enrolment form, Image Processing Consent Form, web forms and any other permission
  forms we use for bespoke trips and visits and performances. It may also include forms determined for our use under a contractual arrangement with a local authority.
• Typically, we collect name, address, date of birth, some contact details, as appropriate, and other information that allows us to provide the best service.
• We do not process any sensitive information (known as Special Category Information) unless this is required to safeguard our staff, volunteers, students, parents, participants and visitors (such as medical information).

We give you privacy information in a number of ways; in writing, orally, in signage and electronically.

This can be at the time we collect personal information, before you give personal information, enter an area, in signs or symbols and on our website.

We hope our signage is clear, well-positioned and gives you the information you need in an accessible format you can understand.

Please let us know if this is not the case.

All the personal data we process is processed securely by our GDPR-trained staff in the UK.

Our website’s IT servers are also in UK data centres, so personal data is not shared internationally (see ‘Marketing information’ below).

No third parties or unauthorised personnel have access to personal data at Enter, unless the law allows them to access it, or we must share it to safeguard staff, volunteers, students, parents and visitors, or in line with our
legal duty to share information.

Where we do share personal information, this is done using the most secure methods available to us.

Obligations

Sometimes we need to share personal information with other organisations to carry out a legal obligation, such as make sure candidates are registered with exam / awarding bodies and ensuring volunteers, tutors and chaperones are suitably qualified and DBS-checked, as applicable. We are also obliged to share information that may be relevant to formal investigations carried out by ‘competent authorities’.

Funders

We may also share personal information with local authorities or other parties such as funders who may have supported a project. There may be occasions when a contractual obligation requires us to share personal information.

Sometimes a condition of funding is that we share photographs with funders to prove the project took place. Our funders may display images we have taken on their website or social platforms to show the good projects to which they have provided financial and other support.

Protection

We may also share personal information with agencies to protect the interests of our business, our customers and related parties.

Agreements

Where the sharing of information may be extensive or highly sensitive, when sharing personal information with others as a data controller or data processor, we have a GDPR-compliant Data Sharing Agreements in place to protect personal information.

Examinations

We may share your results information with you and other third parties. These may include:

• A parent or person with power of attorney to manage your affairs.
• An awarding body or regulator for appeals, quality control, etc.
• A learning provider or other party who is administering your studies / learning journey.
• A third party who is contributing information to an EHCP in your interests.
• A funder of your course(s).
• Other third partes if legislation compels us to do so.
• Other third parties with whom you’d generally expect us to share information in your interests.

We may be required to retain personal information under certain laws, but, we will not keep personal data for longer than we need it.

Our CCTV system holds personal data for 30 days.

When it comes time to delete personal information (if we’re asked to delete it, or if we no longer need to keep it), we always delete it securely, in line with the UK GDPR.

We also use certified confidential disposal services where appropriate.

There may be some exemptions that require us to keep your personal information for certain periods of time, even if we receive a request from you to delete it.

Personal information that is used for marketing purposes will be kept with us until we no longer need it, or you notify us that you no longer wish to receive this information.

Sometimes, with permission, we take pictures of our staff, volunteers, students, parents/carers, patrons, project participants and business partners and post them to social media.

The online servers of Facebook, Twitter and Instagram (on which these images are held) may be outside the UK, but within the European Economic Area (Ireland).

We may use your name and email address to inform you of our future projects, offers or opportunities.

We may use a third-party service such as MailChimp, which is a GDPR-compliant service.

This information is not shared with other third parties and, after subscribing, you can unsubscribe at any time by contacting us, or using the links in the electronic communication we send.

We work hard to ensure our practices fall within the legal scope of the Privacy and Electronic Communications Regulation (PECR). If you feel we have fallen short of our usual high standards in terms of electronic marketing communications,
please get in touch.

We rarely need sensitive details such as financial and medical information, except where this concerns payment of invoices, payment via our Point of Sale device, or the welfare and safeguarding of those using our services and buildings.

You are always free to ask us why we need certain information and it is your right to refuse the request, but it may affect the level of service we can provide.

We will never sell your personal information.

We will never give unauthorised access to your personal information.

Currently, we don’t process bio metric information.

We do collect financial information through our Point of Sale system. If you choose to pay for our services or products via Credit or Debit Card to our secure Point of Sales device/system, we will collect financial information related to that particular transaction.

This may include setting up a limited customer profile on our payment system, which ensures that we are processing only the personal information you give us.

It allows us to process future payments more quickly and conveniently for you.

We will only keep this information for as long as we need it.

Our system fully supports your privacy rights in relation to access, correction (rectification), deletion (right to be forgotten), objection to profiling, restriction of processing or portability of your personal information.

We do not process directly any secure card information, which is carried out by our authorised, legally-compliant merchant/service provider.

When payment is made for tickets via our TicketSource portal, we do not collect financial information, only name and contact information.

Such financial information is retained on secure servers by TicketSource and we cannot access it.

You can find more helpful information here:  
https://www.ticketsource.co.uk/kb/terms-of-use. TicketSource is GDPR-compliant.

We may collect your browsing information to help us understand what content or pages visitors to our website find useful.

We only collect this information with your consent and do not automatically collect your browsing data before consent.

Use the Cookie Control link in the bottom of our website to manage your cookie settings.

You can ask to see a copy of any of your personal information we may be processing.

If we are processing your personal data, we will let you know without undue delay and within one month and give you a copy of that data, if that’s what you wish.

If at any point you believe the information we process about you is incorrect, you can request to have this corrected or deleted.

You can also ask us to stop processing your personal data.

We use CCTV for the safety and security of our staff, students and customers, as well as our property.

Our CCTV systems can take the form of static cameras on the external and internal areas of our building, as well as on-body or mobile cameras where we see a criminal offence taking place (or imminent) or where a person or persons may be at risk of harm.

We do not keep CCTV images for longer than 30 days unless required to by a competent authority, court order or legal requirement.