privacy notice
Introduction
Palace Acappella Choir is committed to respecting the privacy and confidentiality of all members, including vulnerable adults and children, and complies with the General Data Protection Regulation (GDPR). This policy outlines how the choir collects, stores, and shares personal information, ensuring that data is handled lawfully, fairly, and transparently.
Purpose of the Policy
The purpose of this policy is to:
-
Explain how personal information is shared within the choir and with external parties.
-
Ensure compliance with GDPR and other relevant data protection laws.
-
Outline the rights of choir members regarding their personal data.
Scope
This policy applies to all choir members, staff, volunteers, and any third parties who may have access to personal information collected by the choir.
Palace Acappella Choir will only collect personal data about you if you have contacted us via our email address palaceacappella@gmail.com, our website www.palaceacappella.co.uk, or booked tickets for taster sessions, workshops or events via our website or a 3rd party booking system.
Data Protection Principles
Palace Acappella Choir adheres to the following GDPR principles:
-
Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and in a transparent manner.
-
Purpose limitation: Data is collected for specified, explicit, and legitimate purposes.
-
Data minimisation: Only the data that is necessary for the intended purposes is collected.
-
Accuracy: Personal data must be accurate and, where necessary, kept up to date.
-
Storage limitation: Data is retained only for as long as necessary.
-
Integrity and confidentiality: Data must be processed securely to prevent unauthorised access, loss, or damage.
What Information Is Collected?
Palace Acappella Choir may collect the following personal data:
-
Contact details: Name, address, phone number, email.
-
Medical information: Relevant health information for safety and safeguarding purposes.
-
Emergency contact details: For children and vulnerable adults.
-
Performance-related data: Photos, videos, and recordings for choir promotion (subject to consent as outlined in the Choir Agreement).
-
Payment information: For choir fees, subscriptions, merchandise, or event bookings.
-
Website user information: Including user journeys and cookie tracking.
Why Is Information Collected?
Personal data is collected for the following purposes:
-
Communication: To keep members informed about choir activities, events, and rehearsals.
-
Safeguarding: To ensure the safety and well-being of every member, especially children and vulnerable adults.
-
Legal compliance: To comply with health and safety regulations, child protection laws, and GDPR.
-
Marketing and promotion: With consent, as outlined in the Choir Agreement and ticket information for any public workshops and events, to use photos, videos, or recordings for publicity materials.
-
Membership management: To keep accurate records of choir membership and subscriptions.
Lawful Bases for Processing
The lawful bases for processing personal data under GDPR include:
-
Consent: Where specific permission has been granted for particular uses of data (e.g., photos, videos).
-
Contractual necessity: Where processing is required for choir membership or event participation.
-
Legal obligation: To comply with laws (e.g., safeguarding and child protection).
-
Legitimate interest: Where processing is necessary for the operation of the choir and does not override individual rights.
-
Vital interest: Where someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life-sustaining food, water, clothing or shelter.
How Information Is Stored
-
Personal data is stored securely in physical or digital formats.
-
Digital data is protected using password-protected systems and encrypted storage where necessary.
-
Access to personal data is restricted to authorised personnel only, such as the Choir Director, choir administrators, and relevant staff.
Information Sharing
Internal Sharing:
-
Personal information will only be shared with authorised choir staff and volunteers who require it to carry out their responsibilities.
-
Medical information will be shared with relevant staff members only for safeguarding purposes during rehearsals, performances, or choir trips.
External Sharing:
-
Personal information may be shared with third parties only when necessary, such as:
-
Emergency services in the event of an incident.
-
Regulatory authorities if legally required (e.g., in the case of safeguarding concerns).
-
Service providers (e.g., venues, insurance companies) for operational purposes, but only if appropriate data-sharing agreements are in place.
-
-
Personal data will not be shared with third parties for marketing or promotional purposes without explicit consent.
Special Categories of Data:
-
Sensitive personal data, such as health information, will only be shared if absolutely necessary for safeguarding purposes or legal compliance, and always in line with GDPR requirements.
Consent
For specific uses of personal data (e.g., taking photos, videos, or promotional materials), the choir will seek explicit consent from:
-
Parents or guardians for children under the age of 18.
-
Adults for their own data, especially vulnerable adults.
-
You can request withdrawal of consent at any time by contacting Palace Acappella Choir.
Data Retention
We will only keep personal data for as long as is necessary to provide our services, or for as long as we reasonably need to keep the information for the lawful business purposes or to comply with a statutory or other legal requirement
Breach Notification
In the event of a data breach that poses a risk to individual rights and freedoms, the choir will:
-
Notify the affected individuals without undue delay.
-
Report the breach to the relevant data protection authority (Information Commissioner’s Office in the UK) within 72 hours, if required.
Data Subject Rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the Information Commissioner's Office (ICO) website https://ico.org.uk.
Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
-
Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
-
Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
-
Your right to erasure - You have the right to ask us to delete your personal information. You can read more about this right here.
-
Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
-
Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
-
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.
-
Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.
If you make a request, we must respond to you without undue delay and in any event within one month.
How to Exercise Rights:
Members can exercise these rights by contacting Palace Acappella at:
-
Email: palaceacappella@gmail.com
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
Review and Monitoring
This policy will be reviewed annually to ensure compliance with GDPR and any other relevant legislation. Any updates will be communicated to all choir members.
Last updated: November 2024
Contact Information
For any queries regarding this policy or data protection matters, please contact Palace Acappella Choir.