YMT UK is committed to a policy of protecting the rights and privacy of individuals (including company members, staff and others) in accordance with the General Data Protection Regulation (GDPR) 2016. The Company needs to process certain information about its staff, company members and other individuals it has dealings with for administrative purposes (eg to recruit and pay staff, to administer projects, to record progress, to collect fees, and to comply with legal obligations to funding bodies and government). To comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.
The policy applies to all staff and members of the company. Any breach of the General Data Protection Regulation (GDPR) 2016 or the YMT Data Protection Policy is considered to be an offence and in that event, YMT disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with the company, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments who deal with external agencies will take responsibility for ensuring that such agencies sign a contract agreeing to abide by this policy in conjunction with the Data Protection Lead.
The following principles are complied with when processing personal data:
- Data is processed fairly and lawfully
- Data is processed only for specified and lawful purposes
- Processed data is adequate, relevant and not excessive
- Processed data is accurate and, where necessary, kept up to date
- Data is not kept longer than necessary
- Data is processed in accordance with an individual’s consent and rights
- Data is kept secure
- Data is not transferred to countries outside of the European Economic Area (EEA) without adequate protection
Lawful Basis of Processing Data
The lawful basis of processing of data will always be determined prior to any data being processed. The laws for processing personal data under the GDPR are as follows:
- Consent – the individual has given their Consent to the processing of their personal data – i.e. You have ticked a box when signing up to a newsletter.
- Contractual – processing of personal data is necessary for the performance of a contract to which the individual is a party – i.e. you have purchases a YMT product and we need your details to contact you about this product.
- Legal Obligation – processing of personal data is necessary for compliance with a legal obligation to which Bytes is subject – i.e. The Arts Council request us to hold certain information on our customers.
- Legitimate Interests – processing of personal data is necessary under the Legitimate Interests of YMT UK, unless these interests are overridden by the individual’s interest or fundamental rights – i.e. YMT will use your purchase history to send you information on similar events and products.
- Public Task – processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
- Vital Interests – processing of personal data is necessary to protect the vital interests of the individual or another individual
- YMT UK processes personal data under one, or more, of the following Lawful Bases:
- Legal Obligation
- Legitimate Interest
Type of Personal Data Being Processed
- The type of personal data being processed may include:
- Email Address
- Job Title
- Telephone Number
- Business Name
- Educational establishment attended
- IP Address
- Demographic information such as postcode
- Special Educational Needs & Disabilities
How Personal Data is Collected
- Personal data is obtained from one or more of the following:
- Visits and use of the YMT website, and associated portals
- Use of YMT social media
- Use of Google Analytics
- Attendees of YMT projects
- Subscribers to YMT newsletters
- Parties entering into agreements with YMT
- Requests for information about products and services offered by YMT
- Employment enquiries
- Why Personal Data is Collected
- Personal data is collected to provide legitimate business services which include:
- For Marketing purposes
- For us to review and reply to your enquiry
- To provide an opinion for a service you have requested
- To meet our statutory monitoring and reporting responsibilities
- To handle and communicate orders, billings and payment, delivery of products and services
- To improve YMT services and product offering
How Personal Data is Used
- Personal data may be used to:
- Process orders, process a request for further information, to maintain records and to provide pre and after-sales service
- Carry out our obligations arising from any contracts entered into by you and us
- Carry out security checks (this may involve passing your details to our Identity Verification partners, who will check details we give them against public and private databases – this helps to protect us from credit risk and both you and us from fraudulent transactions)
- Comply with legal requirements
- We may use third parties to carry out certain activities, such as processing and sorting data, monitoring how customers use our site and issuing our emails for us
- Seek your views or comments on the services we provide
- Notify you of changes to our services
- Send you communications which you have requested and that may be of interest to you. These may include information about product updates, newsletters, events, webinars
- To inform you of various promotions, goods and services that may be of interest to you. You may be contacted by post, email, telephone, SMS or such other means with carefully selected marketing communications we deem relevant to send to you in the legitimate interests of YMT as a provider of youth music theatre training. Each marketing communication sent to you by YMT will provide you with the option to unsubscribe and manage your data profile and communication preferences from YMT at any time
- Process a job application
- Create a profile of your interests and preferences so that we can contact you with information relevant to you. We may make use of additional information about you when it is available from external sources to help us do this effectively
Where Personal Data is Stored
Information collected is stored on the Company’s CRM system in an offsite data centre which is ISO 27001 certified, with IL4-level security. By submitting your data, you consent to the transfer, storage and/or processing of your data wherever it be stored. However, if your data is transferred outside the EEA, steps will be taken to ensure appropriate security measures are in place to ensure your privacy rights continue to be protected as outlined in this Policy.
How long Personal Data is Stored
We review our retention periods for personal data on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations. We will hold personal data on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with us.
Who has Access to Personal Data
Only YMT employees are granted access to customer information. This is ensured by the use of strict operational processes and procedures.
Staff are trained on security systems and relevant processes and procedures which are reviewed regularly for ongoing effectiveness and suitability for purpose. All employees are kept up-to-date on the YMT security and privacy practices. Employees are notified and/or reminded about the importance we place on privacy, and what they can do to ensure that customer information is protected.
Non-sensitive details (your email address and other requested information) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. We will not sell or rent your information to third parties.
Third-Party Service Providers working on our behalf:
We may pass your information to our third-party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure.
Different rules apply depending on the type of Lawful Processing being undertaken. Many of the following individuals’ rights apply, however, whatever the basis of processing:
- The right to be informed how personal data is processed
- The right of access to their personal data
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The accuracy of personal data is imperative. We aim to keep it updated at all times. The personal data we hold on you is available upon request by contacting email@example.com. You can request that your data is updated and/or deleted at any time, unless YMT can justify that it is retained for legitimate business or legal purpose. When updating your personal data, you may be asked to verify your identity before your request can be actioned. You can change unsubscribe by clicking on the “Unsubscribe” link at the bottom of any of YMT newsletters.
Links to other websites/from other websites
16 or Under
We are concerned to protect the privacy of children aged 16 or under. If you are aged 16 or under‚ please get your parent/guardian’s permission beforehand whenever you provide us with personal information.