The Story Academy Ltd
GDPR, Privacy and Personal Data Security
The Story Academy Ltd is a provider of screenwriting education in the UK.
Trust is fundamental to our business dealings and ongoing relationships between our company and our customers, and therefore we take the issue of security and privacy of all personal data very seriously.
This statement gives an overview of our commitment to you and shows how we fulfil our responsibilities under the EU’s General Data Protection Regulation (GDPR) which is effective from 25th May 2018.
Personal data held and how it is collected
• Our guiding principle is that we treat all personal data as confidential.
• We comply with all relevant GDPR legislation. Our Data Protection Officer is reponsible for implementing legal policies to ensure legal compliance and to ensure that we maintain the high standards of confidentiality, privacy and security necessary to maintain the trust of our customers.
• We are registered with the Information Commissioner’s Office (ICO) as a Data Processor.
• We use the Eventbrite event technology platform to sell tickets for our workshops and events on our behalf, and the information we gather and hold via this platform includes name, email address, contact phone numbers (optional), and redacted credit/debit card numbers used to make a payment (ie last 4 digits only).
• We gather the names and email addresses of people who have signed up for news emails via the sign-up form on our website. The website is hosted by Wix and personal details are processed via Wix and collected on the Mail Chimp marketing automation platform.
• At our events, customers can opt in to receive follow-up information and materials related to the event, as well information about future services and workshops. This is done by customers providing their name and email address in writing.
• At our events, attendees have the option to sign a media release form giving us permission to use any photos or videos of the attendees, such as on our website and social media. We only take photographs of attendees who explicitly opt in.
• We do not hold data on children.
• We do not hold any sensitive data.
Why this data is held and how it will be used
• In most cases, our lawful basis for processing data is ‘legitimate interest’ in that most data is directly used to fulfil our services to our customers effectively and efficiently.
• In the cases where data is used to send out marketing emails, or where we record permission to use photos, the lawful basis is ‘consent’ as we have specifically sought customers’ consent to hold such data on an ‘opt-in’ basis.
• Eventbrite gathers payment and address details in order to process ticket orders, and also gathers customers’ contact details in order to send out confirmation and reminder emails on our behalf.
• We also require customers’ contact details in order to advise them of any event cancellations outside of our control.
• We receive transaction reports from Eventbrite with customers’ names, contact details and redacted card details as a record of sales for accounting purposes.
• Where the required consent has been given, we email information relating to workshops and future events to customers whose names and email addresses we have gathered.
• We provide names of customers to our chosen event venue which requires advance warning of those who are attending.
• We never share personal data with other third parties, unless it is strictly necessary for us to do so in order to fulfil our services and obligations to our customers.
• We may also share personal data with relevant authorities where required to by law, but only to the extent required.
Transfers outside the UK and Europe
We may transfer your information outside the UK and/or EEA in the following situations:
– Cloud storage (Dropbox) – used to store documents containing your data. Dropbox servers are located in EU and USA and the company is committed to meeting the requirements of GDPR by 25 May 2018. See their GDPR guidance information here: https://www.dropbox.com/en_GB/security/GDPR
– Microsoft Office 365 (email accounts) – documents emailed by third parties to The Story Academy Ltd may stored in The Story Academy Ltd email accounts, and may be held on Microsoft’s servers outside the UK and EU. Microsoft is committed to GDPR compliance across its cloud services. See their statement here: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
– Eventbrite – information you supply in order to purchase tickets for our events is stored on Eventbrite’s servers located in the USA. Eventbrite is committed to GDPR compliance – see more on their data protection policy here: https://www.eventbrite.co.uk/support/articles/en_GB/Troubleshooting/eventbrite-eu-data-protection?lg=en_GB
– Wix (website host) – people who sign up for our marketing emails on our website are required to input their name and email. This information is processed by Wix.com. Wix.com is certified under the EU-US Privacy Shield Framework and the Swiss-US privacy Shield Framework as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, and therefore adheres to the Privacy Shield Principles. Read more on their committment to GDPR compliance here: https://support.wix.com/en/article/general-data-protection-regulation-gdpr
– MailChimp (marketing automation platform) – customers who have opted in to receive marketing emails have their name and email details stored on MailChimp servers outside the UK and EU. Read more on MailChimp’s committment to GDPR compliance here:
When you give us information we take steps to make sure that your personal information is kept secure and safe. Your information will only be accessed electronically within the UK and EEA via password-protected computers and devices. Forms filled in during our workshops, including media release forms and other consent forms, will be held in paper format in files that kept in a locked filing cabinet.
How long we will keep your information
We review our data retention periods regularly and will only hold your personal data for as long as is necessary for the relevant activity, or as required by law (we may be legally required to hold some types of information).
Transaction reports will be held for 6 years after the relevant financial year end (length of time HMRC are able to open an investigation against us for any reason).
Where consent has been given by customers to receive marketing emails, or to allow permission to use any photographs, this information will be held indefinitely until such time as consent is withdrawn, which is entirely within your rights.
You have the right at any time to:
• ask for a copy of the information about you held by us in our records;
• require us to correct any inaccuracies in your information;
• make a request to us to delete what personal data of yours we hold; and
• object to receiving any marketing communications from us or change your consent status.
If you would like to exercise any of your rights above please contact us at firstname.lastname@example.org
The accuracy of your information is important to us – please help us keep our records updated by informing us of any changes to your email address and other contact details.
If you have any questions regarding your data or our policies relating to privacy and personal data security, please contact us using the email above. We will respond within 7 days.
If we have any questions regarding your status or requests, we will contact you to clarify them.
Should you wish to complain about the use of your information, we would ask that you contact us to resolve this matter in the first instance. You also have the right to complain to the Information Commissioner’s Office in relation to our use of your information. The Information Commissioner’s contact details are noted below:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
The Information Commissioner’s Office – Scotland
45 Melville Street, Edinburgh, EH3 7HL
Telephone: 0131 244 9001
Information Commissioner's Office
2nd floor, Churchill House
Churchill way, Cardiff, CF10 2HH
Telephone: 029 2067 8400
Information Commissioner's Office
3rd Floor, 14 Cromac Place
Belfast, BT7 2JB
Telephone: 028 9027 8757