Privacy statement

Purpose

This Statement outlines the data protection policies and procedures we have adopted and to which we abide to ensure we are compliant with data protection laws. The purpose of this Statement and any other documents referred to in it, is to clearly list and identify the legal requirements, procedures and rights which must be established when we obtain, process, transfer and/or store your Personal Data. This Statement will assist you in understanding the obligations, responsibilities and rights which arise from the Data Protection Laws.

Who are we?

The Boulevard Theatre is operated by The Boulevard Theatre Company Limited (registered in England and Wales, company number 10440836, registered office 58 Wardour Street, London W1D 4JQ). The Boulevard Theatre Company Limited has two subsidiary companies: Boulevard Theatre Productions Limited (registered in England and Wales, company number 11580184, registered office 58 Wardour Street, London W1D 4JQ), which presents productions at the Boulevard Theatre and Boulevard Theatre Bar Limited (registered in England and Wales, company number 11632811, registered office 58 Wardour Street, London W1D 4JQ), which provides food and beverages at the Boulevard Theatre.

In this Privacy Statement, “we”, “our” or “us” shall refer to The Boulevard Theatre Company Limited and Boulevard Theatre Productions Limited trading as the Boulevard Theatre. “You” or “your” shall refer to the person(s) using this website.

We are registered with the Information Commissioner’s Office under the Data Protection Register: The Boulevard Theatre Company’s registration number is ZA493580. Boulevard Theatre Productions’ registration number is ZA482066. Boulevard Theatre Bar’s registration number is ZA504668.

Introduction

Everyone has rights with regard to the way in which their Personal Data is handled. In order to operate efficiently we need to collate and use information about the people with whom we work. This includes current, past and prospective employees, customers, and others with whom we communicate.

We regard the lawful and correct treatment of personal information as integral to successful operation and to maintaining the confidence of the people we work and communicate with. To this end we fully endorse and adhere to the principles of the relevant Data Protection Laws.

Definitions

Data: Information stored electronically, on a computer, server or in certain paper-based filing systems.

Data Controller: We have determined the purposes for which, and the manner in which, your Personal Data is processed. The Data Controller has overall responsibility for compliance with the Data Protection Laws.  Any questions about the operation of this Statement or any concerns that the Statement has not been followed should be referred in the first instance to us at hello@boulevardtheatre.co.uk.

Data Processor: Any person or organisation that is not a Data User that processes Personal Data on our behalf and in accordance with our specific instructions. Our staff will be excluded from this definition but, the definition could include suppliers who handle Personal Data on our behalf.

Data Subjects: All living individuals about whom we hold Personal Data. All Data Subjects have legal rights concerning the processing and storage of their personal information.

Data Users: Our employees whose work involves processing your Personal Data. Data users are responsible for the proper use of the data they process and must protect the data they handle in accordance with this Statement.

Enactments: The Data Protection Act 1998 (the Act) up to and until 25 May 2018 after which The General Data Protection Regulations 2017 (GDPR) will apply, both of which regulate the way in which all Personal Data is held and processed.

Personal Data: Information which can be used to directly or indirectly identify a living individual.

Processing: Any activity in which the data is used, including (but not limited to) obtaining, recording, organising, amending, retrieving, using, disclosing, erasing, destroying and/or holding the data. The term “processing” also includes transferring Personal Data to third parties.

Supervisory Authority: The Authorised Body which is empowered to govern and manage how the GDPR is implemented and abided by in a particular EU state. In the case of the UK the Supervisory Authority is the Information Commissioner’s Office.

Special Categories of Personal Data: This includes information about a person’s race, ethnicity, political opinions, convictions, religion, trade union membership, physical and/or mental health, and sexual preference. Special categories of Personal Data can only be processed with the express written consent of the person concerned.

Definitions and terms used in relation to the GDPR can be found at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Statement

In accordance with the GDPR anyone processing Personal Data must comply with the six principles of good practice. These provide that Personal Data must:

  • be processed fairly, lawfully and transparently;
  • only be used for the purpose for which it was collected;
  • be adequate, relevant and not excessive for the purpose for which it is being processed;
  • be accurate and kept up-to-date;
  • not be kept longer than necessary to fulfil the purpose of its collection; and
  • be kept secure and protected from unauthorised processing, loss, damage or destruction which includes the data not being transferred to a country or territory outside the European Economic Area unless the Personal Data is adequately protected or consent of the Data Subject has been provided.

Fair, lawful and transparent processing

For Personal Data to be processed lawfully, the basis for the processing must be one of the legal grounds set out in the Enactments. These include, among other things, your written consent to the processing, or that the processing is necessary for the performance of our contract with you.

In the event we collect Personal Data directly from you, this Statement should assist in informing you about:

  • The purpose or purposes for which we intend to process your Personal Data.
  • The types of third parties, if any, with which we may share or disclose your Personal Data.
  • The means with which you can limit our processing and disclosure of your Personal Data.

If we receive Personal Data about you from other sources, we will provide you with this information as soon as possible thereafter.

When special categories of Personal Data are being processed, additional conditions and securities must be in place to ensure protection.

The data we collect about you

Personal Data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of Personal Data about you. In the table below, we give more details about his Personal Data.

Activity Personal Data collected Lawful basis
Visiting our website
IP address
Website you came from
Web browser
Activity on the website
Contractual obligation and pre-contractual negotiation for ticket selection/purchasing process and legitimate interest for marketing and activity tracking
Creating an account
First name and last name
Postal address
Email address
Telephone number
Contractual obligation (this information may also be used for marketing – see below)
Making a restaurant reservation
First name and last name
Email address
Telephone number
Contractual obligation
Making a purchase or hiring the venue
First name and last name (not in person at the venue)
Postal/billing address (not in person at the venue)
Email address (not in person at the venue)
Telephone number (not in person at the venue)
Payment card details (processed by our payment processor)
Contractual obligation (this information may also be used for marketing – see below)
Joining a membership scheme
First name and last name
Postal/billing address
Email address
Telephone number
Date of birth (if eligibility is determined by age)
Payment card details (processed by our payment processor on a continuous payment authority)
Contractual obligation (this information may also be used for marketing – see below)
Contacting us
Personal Data you provide
Consent
Sending marketing communications to you
Only using data already collected or provided
Legitimate interest (and in the case of living individuals, consent)
Sending email marketing messages to you
Times, dates, IP addresses, geographic location of user interaction with message
Nature of user interaction with message (e.g. opens, clicks, forwards etc.)
Legitimate interest (and in the case of living individuals, consent)
Visiting the venue
CCTV images
Legitimate interest
Visiting the venue with access requirements
Access requirements
Contractual obligation
Eating or drinking at the venue
Allergy details
Consent
Entering competitions
Personal details for prize winners
Contractual obligation
Applying for a job
First name and last name
Postal address
Email address
Telephone number
Employment history
Consent

Cookies

We use cookies on this website to provide you with a better user experience. We do this by placing a small text file on your device to track how you use the website, to record or log whether you have seen particular messages that we display, to keep you logged into the website where applicable and to display relevant adverts or content. Some cookies are required to enjoy and use the full functionality of this website.

We use a cookie control system which allows you to accept the use of cookies and control which cookies are saved to your device. Some cookies will be saved for specific time periods, where others may last indefinitely. Your web browser should provide you with the controls to manage and delete cookies from your device, please see your web browser options.

We use the following cookies:

_ga: This cookie is used to track and report website traffic. This cookie is set for one year

gid: This cookie is used to track and report website traffic. This cookie is set for one year

Processing for limited purposes

In the course of our business, we shall process the Personal Data we receive directly from you (for example, by you completing forms, sending us papers or from you corresponding with us by mail, phone, email or otherwise) and your Personal Data which we receive from any other source.

We shall only process your Personal Data to fulfil and/or enable us to satisfy the terms of our obligations and responsibilities or for any other specific purposes permitted by the Enactments. Should we deem it necessary to process your Personal Data for purposes outside and/or beyond the reasons for which it was originally collected, we will contact you first, to inform you of those purposes and our intent and may also apply for your consent.

Adequate, relevant non-excessive processing

We will only collect and process your Personal Data as required to fulfil the specific purposes of our relationship, contract and agreements with you.

Accurate and up-to-date Personal Data

We shall ensure that all Personal Data held is accurate and up to date and will check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. If you become aware that any of your Personal Data is inaccurate, you are entitled to contact us and request that your Personal Data is amended. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

Timely processing of the Personal Data

We will not keep Personal Data longer than is necessary for the purpose or purposes for which it was collected. Once Personal Data is no longer required, we will take all reasonable steps to destroy and erase it.

Keeping your Personal Data secure

Our employees and contracted personnel are bound to our privacy policies, procedures and technologies which maintain the security of all your Personal Data from the point of collection to the point of destruction.

We maintain data security by protecting the confidentiality, integrity and availability of your Personal Data, and when we do so we abide by the following definitions:

  • Confidentiality: We ensure that the only people authorised to use your Personal Data can access it.
  • Integrity: We will make certain that your Personal Data is accurate and suitable for the purpose for which it is processed.
  • Availability: We have established procedures which mean only our authorised Data Users should be able to access your Personal Data if they need it for authorised purposes.

We also maintain security procedures which include, but are not limited to:

  • Secure lockable desks and cupboards. Desks and cupboards shall be kept locked if they hold your Personal Data.
  • Methods of disposal. Paper documents containing Personal Data are shredded and digital storage devices shall be physically destroyed when they are no longer required.
  • Data Users shall be appropriately trained and supervised in accordance with this Statement which include requirements that computer monitors do not show confidential information to passers-by and that Data Users log off from or lock their PC/electronic device when it is left unattended.
  • Our computers have appropriate password security, boundary firewalls and effective anti-malware defences.  We routinely back-up electronic information to assist in restoring information in the event of disaster and our software is kept up-to-date with the latest security patches.
  • One or all of the following measures shall be applied to the Personal Data held where appropriate; separating the Personal Data and/or pseudonymisation and/or the encoding of the data.

We shall take appropriate security measures against unlawful and/or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, your Personal Data.

We shall only transfer your Personal Data to a Data Processor (a Data User outside our business) if the Processor agrees to comply with our procedures and policies, or if the Processor puts in place security measures to protect Personal Data, which we consider adequate and are in accordance with the Enactments.

Transferring the Personal Data out of the EEA

We shall only transfer any Personal Data we hold to a country outside the European Economic Area (“EEA”), if one of the following conditions applies:

  • The country to which your Personal Data shall be transferred ensures an adequate level of protection and can ensure your legal rights and freedoms.
  • You have given your consent that your Personal Data is transferred.
  • The transfer is necessary for one of the reasons set out in the Enactments, including the performance of a contract between you and us, or to protect your vital interests.
  • The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
  • The transfer is authorised by the ICO and we have received evidence of adequate safeguards being in place regarding the protection of your privacy, your fundamental rights and freedoms, and which allow your rights to be exercised.

The Personal Data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Those Data Users may be engaged in, among other things, the fulfilment of contracts with you, such as the processing of payment details and/or the provision of support services.

How we will use your Personal Data

We will only collect and process your Personal Data to the extent that it is needed to fulfil our operational and contractual needs or to comply with any legal requirements.

We shall access and use your Personal Data in accordance with your instructions and as is reasonably necessary:

  • to fulfill our contractual obligations and responsibilities to you;
  • to provide, maintain and improve our services;
  • if we intend to use your Personal Data for the advrtising and marketing of our services and/or the services of our affiliates, we shall seek your separate express consent and you are entitled to opt out of these services at any time; and
  • to respond to your requests, queris and problems;
  • to inform you about any changes to our services and reated notices, such as security and fraud notices.

When we may share your Personal Data

There are times when we may need to share your Personal Data. This section discusses how and when we might share your Data.

In the course of us fulfilling our role it will be necessary for us to disclose your Personal Data in certain situations:

  • We use secure external servers to process/store our electronic records, including your Personal Data, which are maintained by Microsoft.
  • We use Spektrix to provide our box office system.
  • We use SagePay to process card payments.
  • We use dotdigital to provide our email marketing service.
  • We use external suppliers to maintain our IT systems; none of these suppliers have routine access to your Personal Data but may be able to see it occasionally to resolve an IT issue.
  • There may also be situations in which it is necessary for us to disclose your Personal Data to other third parties, which include but are not limited to sub-contractors.
  • If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, lawful requests, court orders and legal process.
  • To enforce or apply any contract or other agreement with you.
  • To protect our rights, property, or safety and that of our employees, members, or others, in the course of investigating and preventing money laundering and fraud.

Your rights and requests concerning your Personal Data

We will process and manage all your Personal Data in line with your rights; in particular your rights to:

    • request access to any data we hold about you;
    • prevent the processing of your Personal Data for direct-marketing purposes, if so instructed;
    • ask to have inaccurate Personal Data amended;
    • be forgotten, and have all relevant Personal Data erased (subject to our overriding legal obligations);
    • prevent processing which is likely to cause damage or distress to you or anyone else;
    • request certain restrictions on the processing of your Personal Data;

receive a copy of your Personal Data and/or request a transfer of your Personal Data to another Data Controller;

  • not be subject to automated decision making;
  • be notified of a data security breach which affects your rights and freedoms, without undue delay;
  • if you have provided your express consent that your Personal Data may be processed for marketing and advertising purposes, you are entitled to withdraw that consent. Such a withdrawal will not affect any processing of the data completed before consent was withdrawn; and
  • to make certain requests to us concerning how your Personal Data is managed.

If you are a living individual, we will only send you marketing communications if you have consented to be contacted in this way, and you can withdraw this consent at any time by contacting us using the information at the start of this policy, following the unsubscribe instructions that are in every marketing communication that we send, or visiting our website. If you are a business we may send you marketing communications without prior consent, but you still have the same rights to ask us to stop.

Access and portability requests

You are entitled to request access to your Personal Data unless providing a copy would adversely affect the rights and freedoms of others.

You can also request information about the different categories and purposes of data processing; recipients or categories of recipients who receive your Personal Data, details on how long your Personal Data is stored for, information on your Personal Data’s source and whether the Data Controller uses automated decision-making.

You also have “Data Portability” rights which includes the right to request a copy of your Personal Data be sent to you or transmitted to another Data Controller.

Correction requests

You are entitled to request we correct or complete your inaccurate or incomplete Personal Data without undue delay and we will update the information and erase or correct any inaccuracies as required.

Erasure requests

You can exercise your “right to be forgotten” and can request we erase your Personal Data. Once receiving a request we must erase the Personal Data without delay, unless an exception applies that permits us to continue processing your data. Details of such exceptions are contained in the Enactments and include situations where we might need to retain the information to carry out our official duties and/or comply with legal obligations and/or for the establishment of exercising or defending legal claims, or it is in the public interest to retain your Personal Data.

Restriction requests

You may request restrictions be applied to the processing of your Personal Data for some specific reasons such as you contest the accuracy of the data, the processing is unlawful or if we no longer need to process your Personal Data. You can also request restrictions be applied if the processing is being done for public interest or third party reasons.

If such a request is received we can continue to store your Personal Data, but may only process it under certain circumstances, such as: you give consent for us to continue processing your data, we need to establish, exercise, or defend legal claims or we need to protect the rights of another individual or legal entity or for important public interest reasons.

Objection requests

You may also object to your Personal Data being processed under certain circumstances, including for direct marketing purposes and profiling related to direct marketing.

If we receive such an objection we will stop processing your Personal Data unless we can show a compelling legitimate ground for processing your Personal Data which overrides your interests and the basis of your request.

Your telephone queries and requests

When receiving telephone enquiries, in which Personal Data is requested we will only verbally disclose Personal Data held on our systems if we can confirm the caller’s identity so as to ensure that the data is only given to a person who is entitled to receive it.

We may suggest that a caller put their request in writing to assist in establishing the caller’s identity, and to enable us to clearly record the nature of the request and to assist in further identity checks.

If we have reasonable doubts about the identity of the person making the request, we may request additional information to confirm the caller’s identity.

In difficult situations our Data Users may refer a request to their line manager for assistance.

Your written queries and requests

When responding to written requests Personal Data will only be disclosed if we can confirm the identity of the sender and/or sufficient supporting evidence is provided by the sender establishing their identity.

Responding to your requests

Upon receiving a request from you concerning your Personal Data, we will respond within one month of receiving the request by email (unless you request a response in an alternative format).

If we are unable to immediately comply with your request we will inform you within our response stating whether we need to extend our response time (for up to a maximum of two months), along with an explanation for the delay.

Your complaints

If you have any concerns as to how your data is processed you can contact: hello@boulevardtheatre.co.uk.

You have the right to lodge a complaint to the Information Commissioner’s Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regard to your Personal Data.

Address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow Cheshire
SK9 5AF
Tel: 0303 123 1113
Email: casework@ico.org.uk

Changes to our Privacy Statement

We keep our Privacy Statement under regular review and reserve the right to amend and update the policy as required. Where appropriate, we will notify you of those changes by mail, email and/or by placing an updated version of the policy on our website. Last reviewed 7 June 2019.