Data Protection Policy for Body & Soul
October 2019
Introduction
At Body & Soul privacy and data protection rights are very important to us. We will not collect any personal information about you without your clear permission. Any personal information which you volunteer to Body & Soul will be treated with the highest standards of security and confidentiality, and strictly in accordance with the Data Protection Acts, 1988 & 2003 and with General Data Protection Regulations which came into effect on 25 May 2018.
Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data, in both paper and electronic form. The Data Protection Acts 1988 and 2003 (the “Data Protection Acts”) lay down strict rules about the way in which personal data and sensitive personal data are collected, accessed, used and disclosed.
This document outlines Body & Soul’s policy to help ensure that we comply with the Data Protection Acts.
Inquiries about this Data Protection Policy should be made to: Siân Cunningham, General Manager/Data Protection Officer, Body & Soul - sian@bodyandsoul.ie
Purpose of this policy
This policy is a statement of Body & Soul’s commitment to protect the rights and privacy of individuals in accordance with the Data Protection Acts (1988) and (2003) and the General Data Protection Regulations.
Collecting information
We collect your information as a means of contacting you, a valued Body & Soul stakeholder, in the lead up to and during Body & Soul Festival and ancillary events hosted by Body & Soul throughout the year. Stakeholders include artists, volunteers, suppliers, traders, performers; any and all applicants seeking to engage with the festival or associated events. We retain the right to contact all stakeholders in relation to future events or related opportunities with Body & Soul Festival and associated events. All information provided to us is treated in the strictest confidence and is not made available to any third parties. We have outlined below the variety of ways in which data is collected and stored on our stakeholders, why we collect it, who has access to it and our retention policy for each area.
Data Protection Principles
Body & Soul is firmly committed to ensuring personal privacy and compliance with the Data Protection Acts, including the provision of best practice guidelines and procedures in relation to all aspects of Data Protection. We shall perform our responsibilities under the Data Protection Acts in accordance with the following Data Protection principles:
Obtain and process information fairly
We shall obtain and process personal data fairly and in accordance with statutory and other legal obligations.
Keep it only for one or more specified, explicit and lawful purposes We shall keep personal data for purposes that are specific, lawful and clearly stated. Personal data will only be processed in a manner compatible with these purposes as defined above.
Use and disclose only in ways compatible with these purposes
We shall use and disclose personal data only in circumstances that are necessary for the purposes for which we collected the data.
Keep it safe and secure
We shall take appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of personal data and against its accidental loss or destruction.
Keep it accurate, complete and up-to-date
We adopt procedures that ensure high levels of data accuracy, completeness and that data is up-to-date.
Ensure it is adequate, relevant and not excessive
We shall only hold personal data to the extent that it is adequate, relevant and not excessive.
Retain for no longer than is necessary
We have a retention policy for personal data.
Access Requests
We will respond to requests for records within one month of receiving the request.
Body&Soul Filing Systems
Body & Soul uses Google Drive as its electronic filing system. Google Drive facilitates access to documents and files only in situations where they have been specifically shared with an individual. It is our operational policy that files are only shared with the team members who need to access the information to carry out their duties. Data is deleted as per our retention policies which are outlined in each area below.
Google Drive is a secure platform for file storage and is GDPR compliant - https://cloud.google.com/security/gdpr
Body&Soul retains minimal information in hard copy format which is stored in the General Manager’s office. Signed employment contracts are retained in a hard copy file. We retain accounting documents (invoices and related paperwork) as per Revenue Guidelines.
Mailchimp/Customer Mailing Lists
We store data (customer name and email addresses) on our Mailchimp for customers who have explicitly given their consent to us to contact them with marketing information and festival updates on Body & Soul and related events. Subscribers either consent to marketing communications when they purchase their ticket (via an opt in tick box) or they opt in directly via our website newsletter sign up form. We retain this information until a customer decides to opt out of receiving the communications. The Marketing Team have access to this information.
We do not share this information with third parties.
Mailchimp services used by Body & Soul are GDPR compliant - View Mailchimp’s Privacy Policy
Ticketbooth
Ticketbooth is Body & Soul’s Ticketing service and used to sell tickets to Body&Soul Festival and related events. Information stored on Ticketbooth includes customer names, addresses, emails and billing information. Body&Soul collects this information so that we can verify customer orders and issue them tickets to the festival and provide them with relevant information that they require in advance of coming to the festival. Customers provide the information as part of the purchasing process. We retain this information on file via Ticketbooth. The Festival Director, General Manager, Ticketing & Entrance Manager, Marketing & Sponsorship Manager and Administrator have access to this information.
We do not share this information with third parties.
Ticketbooth services used by Body & Soul are GDPR compliant - View Ticketbooth’s Privacy Policy
Audience Tools
Audience Tools is a registration platform where customers can sign up to register interest and participate in competitions or draws. Audience Tools captures audience information that we then use to tailor marketing campaigns and competitions towards. Customers sign up and provide their contact details to us so that they can be contacted for marketing campaigns and competitions. Customer data remains on file on Audience Tools. The Marketing & Sponsorship Manager has access to this information.
We do not share this information with third parties.
Audience Tools services used by Body & Soul are GDPR compliant - View Audience Tools’ Privacy Policy
Stripe
Stripe is a payment platform used by Body & Soul. We use Stripe for ticket sales, concession payments and volunteer ticket deposits. Customer emails are held in the Stripe account. We need this information to contact customers in the event of needing to refund monies or contact them about potential fraudulent payments. Customers provide the information when they make a purchase or payment to Body & Soul. Customer information remains on file as per Stripe’s retention policy. The Festival Director, General Manager and Administrator have access to this information.
We do not share this information with third parties.
Stripe services used by Body&Soul are GDPR compliant - https://stripe.com/guides/general-data-protection-regulation
Marcato
Marcato is festival management software which is used for creating application forms for volunteer, artist therapist & workshop leaders and concession holders for the festival. The information is needed to process the selection of acts/artists and worker roles for the festival and to communicate with them about their duties should they be selected. This information is entered directly by applicants.
The information is accessible by the Festival Director, General Manager, Administrator and the relevant team members who are involved in the selection process. The applicants themselves can access the forms which they have completed.
Should we have an external third party involved in the review process, the information of shortlisted applicants is shared with them too.
Applications are retained for 26 months after obtaining the information and then deleted.
Marcato services used by Body & Soul are GDPR compliant - https://www.marcatofestival.com/gdpr
Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. We use the information to track performance of our website and to calculate the amount of resources we need to deliver the site to our users. This data is generated by the requests made when visitors to our site click on different pages. Our retention policy for this data is set to a default of 14 months. This allows us to compare easily performance from year to previous year.
The information is accessible by the Festival Director, General Manager, Administrator, and to the Web and Marketing team. This data is available to the technical support to the Web and Marketing team. This is a requirement to ensure the site remains functional under the heavy load experienced during the festival peak periods.
Guest Details for Tickets
We collate information on guests (name and contact email address) so that we can issue guests with tickets for Body & Soul Festival and related events. Information is obtained directly from the stakeholders by the relevant B & S team members who have requested the information so as to action the production of guest tickets.
Data collected in spreadsheet format is retained for 6 months after obtaining the information. Guest data is is transferred to Ticketbooth and remains on Ticketbooth after the event.
This information is not shared with third parties.
Accreditation Information
For safety, security and operational reasons we need to pre-authorise access to the festival site. This pre-authorisation includes but is not limited to artists, staff, traders and suppliers. Anyone requiring access to the site must be approved in advance to access the site and appropriately accredited when entering the site. Pre-authorisation is done through our Accreditation process. To support this process we request information from those requiring access to the site which includes name, email address, contact phone number, next of kin name, contact phone number and vehicle registration. Information is obtained through the lead contact of each group/supplier/contractor. This information is accessible by Festival Director, General Manager, Ticketing & Entrance Manager, Accreditation Officer, Assistant Accreditation Officer and the lead contact who provided the information.
Data collected through our festival management system, Marcato, and is retained for 30 months after obtaining the information. Personal information is then deleted from our system.
Staff Details
We request specific information from our staff when they commence a contract with Body & Soul. This information includes name, address, contact phone number, next of kin details, PPS number, P45, bank details. This information is required for contract purposes and for payment purposes. Information is obtained directly from the employee either by the General Manager, Administrator or the relevant department head or assigned team member. This information is passed on to the General Manager who liaises directly with the DHKN, the accounting firm contracted to process B & S payroll. Relevant data is shared with DHKN to facilitate payroll processing.
All staff details are accessible to the Festival Director and General Manager. Banking and payment information is accessible by the Administrator. If another team member is involved in gathering banking and payment information for a department s/he has access to this information.
Banking details for individuals are saved on our online banking platform (www.aib.ie).
This information is retained on file as part of our HR and Accounting filing procedures.
Vacant Position Applications
CVs and cover letters for advertised roles with Body & Soul are saved on to our internal filing system. We hold this information for recruitment purposes. The information is provided to us when the applicant applies for a role with Body&Soul. All application details are accessible to the Festival Director, General Manager and Administrator. Depending on the role other team members/department heads are involved in the recruitment process. In these instances applications are shared with that staff member.
For certain positions an external interviewer is asked to join the interview panel. When this happens, shortlisted applications are shared with the external interviewer.
Applications are retained on file so that we can contact you in the event that another suitable vacancy arises that may be of interest to you. Your data will be used for recruitment purposes only.
Responsibility
Overall responsibility for ensuring compliance with Data Protection Acts rests with Body & Soul. All employees and contractors of Body & Soul who separately collect, control or process the content and use of personal data are individually responsible for compliance with the Data Protection Acts. Body & Soul’s Data Protection Officer coordinates the provision of support, assistance, advice and training within Body&Soul to ensure that the company is in a position to comply with the legislation.
We will inform the DPC of any breaches on Body & Soul’s behalf within 72 hours.
Review
This Data Protection Policy will be reviewed regularly in light of any legislative or other relevant developments.
This Data Protection policy is available on the Body & Soul website.
Body&Soul will use the information you provide on this form to be in touch with you and to provide updates and marketing. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at info@bodyandsoul.ie. We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.