Last updated: 1/08/2019

Starbrite Studios Limited treats the privacy of its customers, prospective customers and website users very seriously and we take appropriate security measures to safeguard your privacy.

This policy describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for any of the purposes described in this privacy policy or as otherwise stated at the point of collection.

Personal data is any information relating to an identifiable living person. Starbrite Studios processes personal data for numerous purposes. For each purpose the means of collection, lawful basis of processing, disclosure, and retention periods may differ.

If you have any questions, please write to the Data Protection Officer at Starbrite Studios Limited, Units 13-15 Brookfield Business Park, Clay Lane, Shiptonthorpe, York, YO43 3PU or email info@starbritestudios.co.uk.

In accordance with the Data Protection Act 1998 we are registered with the Information Commissioner’s Office (ICO) and our registration number is ZA183835.

How we obtain your personal data

Information provided by you

You provide us with personal data via completion of paper-based and electronic forms or over the telephone. This may also include sensitive information received directly from you in relation to the performance of services we have been engaged to, or may be engaged to carry out on your behalf.

We may also keep information contained in any correspondence you may have with us by post or by email.

The provision of this personal data is essential for us to be able to provide those services for which we have been engaged, or may be engaged. This means that our lawful basis for holding this personal data is one or more of the following:

• 'Notification of provision of services' i.e. we send invoices to you and are sometimes required to notify you of changes to individual classes or or events, or to our wider timetable.
• 'Emergency contact' i.e. as most of our members are children, we may be required to contact our customers in case of emergency, such as injury.
• Information we get from other sources.

We only obtain information from third parties if this is permitted by law. We may also use legal public sources to obtain information about you, for example, to verify your identity. This information (including your name, address, email address, date of birth, etc.), as relevant to us, will only be obtained from reputable third-party companies that operate in accordance with the General Data Protection Regulation (GDPR).

How we use your personal data

We use your personal data to provide, manage and fulfill those services that we have been engaged, or may be engaged to provide to you. At all times we undertake to protect your personal data, in a manner which is consistent with Starbrite Studio’s duty of professional confidence and the requirements of the General Data Protection Regulation (GDPR) concerning data protection. We will always take all reasonable security measures to protect your personal data in storage and in transit. As applicable, the information you provide may be used to (this list is not exhaustive):

• Provide performing arts services – We provide a diverse range of performing arts services. Some of our services require us to process personal data in order to provide advice and deliver our service. For example, we will review children's progression as part of ongoing communications with their parents.
• Administering, managing and developing our businesses and services – We process personal data in order to run our business, including:
• managing our relationship with customers;
• developing our businesses and services (such as identifying customer needs and improvements in service delivery);
• maintaining and using IT systems;
• hosting or facilitating the hosting of events; and
• administering and managing our website and systems and applications.
• Security, quality and risk management activities – We have security policies and procedures in place to protect both our own and our customers’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails.

We monitor the services provided to customers for quality purposes, which may involve processing personal data stored on the relevant customer file. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to customer engagements.

Providing our customers and potential customers with information about us and our range of services – We use contact details to provide information that we think will be of interest about us and our services. For example, other services that may be relevant and invites to events.

Complying with any requirement of law, regulation or a professional body of which we are a member – As with any provider of professional services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.

Sharing information

We will keep information about you confidential and secure. We will never share personal data with any third party unless it is within our lawful basis for doing so and we will never share your data outside of Starbrite Studios for marketing purposes. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security policies.

Personal data held by us may be transferred to:

• Any legal or crime prevention agencies and/or to satisfy any regulatory request if we have a duty to do so or if the law allows us to do so;
• Third party organisations that provide applications/ functionality, data processing or IT services to us, to support us in providing our services and to help provide, run and manage our internal IT systems. For example, providers of information technology, cloud based accounting software, identity verification, data, data back-up, security and storage services;
• Third party organisations that otherwise assist us in providing goods, services or information within our lawful basis for doing so but will never include sharing data for marketing purposes;

Transfer of your personal data outside of the European Union (EU)

As part of the services offered to you, the information which you provide to us will be stored within the EU. Occasionally however, data may be transferred to countries outside of the EU via the use of services utilised by our IT providers. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EU in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy.

If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.

How long do we keep this information about you?

We keep information in line with the retention policy guidelines of Starbrite Studios. These retention periods are in line with the length of time it is considered necessary for the purpose for which it was collected. They also take into account our need to meet any legal, statutory and regulatory obligations. These reasons can vary from one piece of information to the next.

How we keep information secure

We take the security of all the data we hold very seriously. We use a range of measures to keep information safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

Change in control or sale

If ownership of any part of Starbrite Studios changes, you expressly consent to Starbrite Studios transferring your information to the new owner or successor entity so that we can continue providing our services in accordance with our engagement terms.

The new owner will, under the terms of this privacy policy, be permitted to use your personal data for the purposes for which it was supplied by you, until such time as this privacy policy is updated or amended by the new owner upon notice to you. If required, Starbrite Studios will notify the ICO of such a transfer in accordance with the notification procedure under GDPR.

Data subject rights

Subject access requests

The General Data Protection Regulation (GDPR) grants you, the data subject, the right to access particular personal data that we hold about you. This is referred to as a subject access request. We shall respond promptly and certainly within one month from the point of receiving the request and all necessary information from you.

Right to rectification

You have the right to request from us, without undue delay, the rectification of inaccurate personal data we hold concerning you. Taking into account the purposes of the processing, you may also have the right to have incomplete personal data completed. This may involve providing a supplementary statement to the incomplete data.

Right to erasure

You shall have the right to request from us the erasure of personal data concerning you without undue delay, unless we are required to retain information in order to fulfill our legal obligation or the holding of the data is in accordance with our lawful basis for doing so.

Right to restriction of processing

Subject to exemptions, you shall have the right to restrict the processing of your data where one of the following applies:

• the accuracy of the personal data is contested by you;
• you believe processing is unlawful;
• you believe that we no longer need the personal data for the purposes of processing;
• you have objected to processing of your personal data pending the verification of whether there are legitimate grounds for us to override these objections.

Notification obligation, regarding the rectification or erasure of personal data or the restriction of processing

We shall communicate any rectification or erasure of personal data or restriction of processing as described above to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. We shall provide you with information about those recipients if you request it.

Right to data portability

You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller, without hindrance from us.

Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you, unless this relates to processing that is necessary for the performance of a contract carried out in the compliance of a legal obligation, public interest or an exercise of official authority vested in us. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Right to not be subject to decisions based solely on automated processing

We do not carry out any automated processing, which may lead to an automated decision based on your personal data.

Invoking your rights

If you would like to invoke any of the above data subject rights with us, please write to the Data Protection Officer at Starbrite Studios Limited, Units 13-15 Brookfield Business Park, Clay Lane, Shiptonthorpe, York, YO43 3PU or email info@starbritestudios.co.uk.

Accuracy of information

In order to provide the highest level of customer service possible, we need to keep accurate personal data about you. We take reasonable steps to ensure the accuracy of any personal data or sensitive information we obtain. We also consider when it is necessary to update the information, such as name or address changes and you can help us by informing us of these changes when they occur.

Important information

Questions and queries

If you have any questions or queries which are not answered by this privacy policy please write to the Data Protection Officer at Starbrite Studios Limited, Units 13-15 Brookfield Business Park, Clay Lane, Shiptonthorpe, York, YO43 3PU or email info@starbritestudios.co.uk.

Policy changes

This privacy policy is regularly reviewed to make sure that we continue to meet the highest standards and to protect your privacy. We reserve the right, at all times, to update, modify or amend this Policy. We will notify our data subjects of any significant changes.

If you have a complaint

If you have a complaint regarding the use of your personal data or sensitive information then please contact us by writing to the Data Protection Officer at Starbrite Studios Limited, Units 13-15 Brookfield Business Park, Clay Lane, Shiptonthorpe, York, YO43 3PU or email info@starbritestudios.co.uk and we will do our best to help you.

If your complaint is not resolved to your satisfaction you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO). For further information on your rights and how to complain to the ICO, please refer to the ICO website.