Privacy Policy

The Watermill Theatre Privacy Policy


We, Watermill Theatre Limited (we, us, our), are committed to protecting your personal information and to being transparent about the information we hold about you. Using personal information allows us to develop a better understanding of our patrons, and in turn allows us to provide you with relevant and timely information about the work that we do, both on and off stage. Personal information also helps us as a charity to engage with current and potential donors.


The purpose of this privacy policy (Privacy Policy) is to give you a clear explanation about how and why we are using your personal information. This Privacy Policy is available on our website and from The Watermill Theatre Box Office. Accessible formats are available on request by contacting us using the details provided below.


If you are under 16 we will need your parent/guardian’s consent before we can collect any personal information about you. If you do not have that consent, please do not provide your personal information or use our website to buy a ticket or make a donation, create an account or join our mailing list.


This Privacy Policy explains:

  1. Who we are
  2. What personal information we collect about you
  3. How we use your personal information
  4. Who we share your information with
  5. How we keep your personal information safe
  6. International transfers of your information
  7. How long we keep your personal information
  8. How you can help keep your information safe
  9. Your rights to your personal information
  10. Third-party links
  11. Notifications of changes to our Privacy Policy
  12. How to update your personal information
1. Who we are


The Watermill Theatre Limited. is a company registered in England and Wales with registered company number 978279. We are also a registered arts charity (with registered charity number 261430).


We are receive funding from trusts, foundations, individuals and corporate organisations. On average, 84% of our income is generated through direct theatre activities including tickets sales, restaurant revenue and fundraising activities.


You can contact us as follows:


FAO: Data Support
Address: The Watermill Theatre, Bagnor, Newbury, Berkshire RG20 8AE
Email: admin@watermill.org.uk; Please mark your email for the attention of Data Support
Phone number: 01635 45834


2. What personal information we collect about you


We aim to be clear when we collect your personal information and to use it in ways that you
would reasonably expect us to do so. We will collect your personal information when you:

  • Book for a show, event or activity
  • Submit correspondence to us by post, email or via our website
  • Make and change your ticket bookings over the phone, by email or in person at our Box
    Office
  • Create an account on the website which allows you to:
  1. Purchase tickets
  2. Purchase or redeem gift vouchers
  3. Purchase food and drink packages
  4. Indicate your contact preferences such as whether you would like to receive marketing emails from us
  • Make a donation through the Box Office, online, in person or via post
  • Become a member
  • Subscribe to our newsletter and join our mailing list
  • Make an enquiry, provide feedback, submit a review or make a complaint in person or over the phone, by email or on our website
  • Make changes to how we contact you or update your interests via your account
  • Book a table in our restaurant
  • Make a booking or an enquiry about an Outreach activity
  • Contact us about corporate partnership opportunities and private hospitality options by telephone or email
  • If you are a member of a trust or foundation and you contact us about opportunities to support our work
  • Respond to surveys, participate in promotions or use any other features of the website
  • ‘follow’, ‘like’, post to or interact with our social media accounts, including Facebook,
    YouTube, Twitter, Flicker, Instagram
  • Submit a CV or application for a job vacancy or attend an interview or assessment.
     

The information you provide to us will include (depending on the circumstances):

  1. Identity and contact data: title, names, addresses, email addresses and phone numbers
  2. Account profile data: if you’re registering for an account on the website you will also provide a username, password, delivery and billing address, date of birth and confirmation that you are over 16
  3. Financial data: if you are using the website to purchase tickets, gift vouchers, memberships, food/drink packages, or any other services we offer from time to time, you will also provide payment details, which may include billing addresses, credit/debit card details and bank account details
  4. Survey data: from time to time we might ask if you would be willing to participate in our surveys; if you agree, we will also collect any information that you provide as part of that survey
  5. Employment and background data: if you are submitting a job application, you may also provide additional information about your academic and work history, qualifications, skills, projects and research that you are involved in, references, proof of your entitlement to work in the UK, your national security number, your passport or other identity document details, [your current level of remuneration (including benefits)], and any other such similar information that you may provide to us.

Information about your interaction with us:
  1. Information contained in correspondence: we will collect any information contained in any correspondence between us. For example, if you contact us by email or telephone, we will keep a record of that correspondence
  2. Transactional data: we will collect information related to your transactions on the website, including the date and time, the amounts charged and other related transaction details. This includes records of your booking history and, if relevant, your donation history on our secure ticketing, marketing and fundraising system, Spektrix
  3. Website usage data and technical data: we will also collect certain information about how you use our website and the device that you use to access our website, even where you have not created an account or logged in. We keep a record of what emails you have opened, and which links you have clicked. [We also process records of your geographical location, device information (such as your hardware model, mobile network information, unique device identifiers), the data transmitted by your browser (such as your IP address, date and type of the request, content of the request regarding the specific site, time zone settings, access status/HTTP status code, volume of data transmitted, browser type and version, language settings, time zone settings referral source, length of visit to the website, date and time of the request, operating system and interface) number of page views, the search queries you make on the website and similar information.] This information will be collected by a third-party website analytics service provider on our behalf and is collected using cookies or similar technologies. For more information please read our Cookie Policy 
  4. Imagery: we may capture images of you when we take photographs or film the theatre, productions or any special events we host from time to time. Your image may be included in a crowd shot of the theatre or your image may be specifically captured such as images of audience participation scenes. We will endeavour to let you know, by notices at the theatre, if we will be photographing or filming the theatre or production for publicity and broadcast purposes at the time of your visit. Photos or film taken of the theatre may include images of children or vulnerable adults for which we will ask for parental or guardian consent before using such imagery in any promotional material.
Sensitive Personal Information


“Special categories” of particularly sensitive personal information (Sensitive Personal Information) require higher levels of protection. Sensitive Personal Information includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health. and genetic and biometric data. We need to have further justification for collecting, storing and using this type of Sensitive Personal Information. We do not usually collect this information about our patrons unless there is a clear reason for doing so. We have in place an appropriate safeguarding policy which we are required by law to maintain when processing such data.


If you are a visitor to our theatre, you may provide us with Sensitive Personal Information about your health, dietary requirements or a disability. Any such information you provide to us will be used for the purpose of making reasonable adjustments for your circumstances and on the basis of your explicit consent. You may withdraw your consent to our processing this data about you at any time.


When you register an account, you may indicate your “Accessible Performance Preferences” such as whether you would like to hear about audio-described performances, British Sign Language performances, captioned performances or relaxed performances. We will use this information to send you targeted marketing which you may opt out of at any time.


If you are a job applicant, we will process Sensitive Personal Information about (i) your race, ethnicity, religious or philosophical beliefs and sexual orientation for the purpose of our diversity and equal opportunities records where it is needed for reasons of substantial public interest for equal opportunities monitoring and (ii) your health as necessary for the purpose of arranging your interview and for compliance with our legal obligations to make reasonable adjustments for your circumstances.

 
Information from other organisations (third parties)


In certain circumstances, we will receive information about you from third parties. For example:

  1. Service providers: we collect personal information from our website developer, payment services provider (Spektrix), marketing service providers (Spektrix and Dot Mailer), and other IT service providers (who are based inside the EU)
  2. Website security: we collect information from our website security service partners who are based inside the EU, about any misuse to the website, for instance, the introduction of viruses, Trojans, worms, logic bombs, website attacks or any other material or action that is malicious or harmful
  3. Social media providers: we currently use social media plugins from the following service providers who are based both inside and outside the EU: Facebook, Twitter, YouTube, Flickr and Instagram. By providing your social media account details you are authorising that third-party provider to share with us certain information about you. We carry out targeted advertising via these social media providers
  4. Employers, recruitment agencies and referees: if you are a job applicant, we may contact your recruiter, current and former employers and/or referees, who may be based inside or outside the EU, to provide information about you and your application
  5. Publicly available sources: we currently use publicly available sources in order to carry out basic research on some potential donors. In addition to general information researched on the internet about such donors, we make use of company, director and shareholder information from publicly available, officially registered information providers (such as Companies House) to carry out identity and compliance checks to help us meet our obligations as a charity against financial fraud.


We occasionally check your personal information against records held by other organisations which allow us to verify the information we use. For instance, we run regular checks against the Royal Mail’s Postcode Address File (PAF Database) to ensure that our mailings reach our intended audience and to keep costs as low as possible.


We might also receive information about you from third parties, such as other theatre or arts organisations, if you have indicated to such third parties that you would like to hear from us.


3. How we use your personal information


We will use your information:

  • Where we need to perform the contract that we are about to enter or have entered in to with you
  • Where we have your consent before using your personal information in that specific situation. Generally, we do not rely on consent as a legal basis for processing your personal information. You have the right to withdraw consent at any time by contacting us using the details at the top of this Privacy Policy
  • Where we have a legitimate interest to do so and provided that your interests and fundamental rights do not override the interests of The Watermill Theatre; or
  • Where we need to comply with a legal or regulatory obligation.


For the performance of a contract
When you make a purchase, you are entering into a contract with The Watermill Theatre. To fulfil this contract, we will collect, process and securely store your personal information to complete your booking. We will use this to keep you informed about essential information related to your transaction. This might include notification of a change to the programmed events or issues processing payment. We will also provide a booking confirmation by email where an email address has been provided.


Consent
There will be circumstances when we will ask for your consent before using your personal information. We will obtain your consent before:

  • Sending marketing communications by email relating to shows, events and offers, dining and restaurant bookings, participatory opportunities and ways to support The Watermill Theatre.
  • Sending marketing communications by SMS relating to shows, events and offers, dining and restaurant bookings, participatory opportunities and ways to support The Watermill Theatre
  • Claiming Gift Aid on a donation you have made to The Watermill Theatre.
  • Processing data relating to children (under 18’s) and vulnerable adults for Outreach workshops, in line with our safeguarding policy. We will obtain consent from a parent, guardian or carer. To request a copy of our safeguarding policy please call 01635 45834 or email admin@watermill.org.uk.


In circumstances where we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.


Legitimate interest
In certain situations, we collect and process information for purposes that are in our legitimate organisational interest. We will always consider the impact on our customers and will use your personal information only in ways that you might reasonably expect us to do so. Our legitimate interests don’t automatically override yours and we won’t use your information if we believe your interests should override ours unless we have other grounds to do so (such as your consent or a legal obligation). If you have any concerns about our processing, please refer to details of “Your rights to your personal information” below.


We will use legitimate interest as our legal basis to process your personal information in the following situations:

  • To provide access to our website: to provide you with access to our website in a manner convenient and optimal and with personalised content relevant to you including sharing your information with our website hosts and developers (on the basis of our legitimate interest to ensure our website is presented in an effective and optimal manner)
  • Relationship management: to manage our relationship with you, which will include notifying you about fundamental changes to our Terms and Conditions or Privacy Policy, and asking you to leave a review or take a survey (on the basis of performing our
    contract with you, to comply with our legal obligations and on the basis of our legitimate interests to keep our records updated and study how our website and services are used)
  • User and customer support: to provide customer service and support, deal with enquiries or complaints about the website and share your information with our website developer, IT support provider, payment services provider or marketing service provider as necessary to provide customer support (on the basis of our legitimate interests to provide you with customer service)
  • Prize draws, competitions and surveys: to enable you to take part in prize draws, competitions and surveys (on the basis of our legitimate interest in studying how our website and services are used, to develop them and grow our business)
  • Recruitment: to process any job applications you submit to us, whether directly or via an agent or recruiter including sharing this with our third-party recruitment agency (on the basis of our legitimate interest to recruit new employees or contractors)
  • Marketing: to send you information by post (or by email provided we have the requisite permission to do so) about shows, events and offers, dining and restaurant bookings, participatory opportunities and ways to support The Watermill Theatre that
    we think you may be interested in, based on your interests, preferences and booking history. You can opt out of receiving this information at any time by contacting us using the details at the top of this Privacy Policy or by logging into your account and selecting ‘go paperless’ in the contact preferences section (on the basis of our legitimate interests to provide you with marketing communications where we may lawfully do so). You may see advertising about us on your social media feeds
  • Publicity: to promote our theatre and productions which may include photographs or films of the theatre in which you may appear. We may use such photographs or films in our printed and online publicity, social media and press releases (on the basis of our legitimate interests in promoting our services)
  • Advertising: to deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (on the basis of our legitimate interests in studying how our website/services are used, to
    develop them, to grow our business and to inform our marketing strategy)
  • Analytics: to use data analytics to improve our website, products/services, marketing, customer relationships and experiences (on the basis of our legitimate interests in defining types of customers for our website and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
  • Research: to carry out aggregated and anonymised research about general engagement with our website and our products and services, to segment our database so that you receive the information that is most appropriate to you, and for the
    purposes of internal reporting and analysis (on the basis of our legitimate interest in providing the right kinds of products and services to our website users and customers). We will use your transactions and donation history and fundraising research as well as any interests you have specified to help do this
  • Report to external arts organisations: occasionally, we share anonymous demographic information with external organisations such as Arts Council England and the Audience Agency. This information may be derived from your personal information but is not considered personal information in law as this information does not reveal your identity (on the basis of the legitimate interest these organisations have in our anonymised demographic information for their own research purposes).

Legal obligations
We may be required to disclose personal information to comply with the law or to enforce our legal rights as follows:

  • Prevention of crime and public safety: to monitor the theatre in order to prevent or detect criminal activity (on the basis of our legitimate interest in preventing and detecting crime and ensuring employee and public safety)
  • Fraud and unlawful activity detection: to protect, investigate, and deter against fraudulent, unauthorised, or illegal activity, including identity fraud (on the basis of our legitimate interests to operate a safe and lawful business or where we have a legal
    obligation to do so)
  • Compliance with policies, procedures and laws: to enable us to comply with our policies and procedures and enforce our legal rights, or to protect the rights, property or safety of our employees and share your information with our technical and legal advisors
    (on the basis of our legitimate interests to operate a safe and lawful business or where we have a legal obligation to do so).


Fundraising activities - how we use your personal information
As a registered charity, The Watermill Theatre is a member of the Fundraising Regulator and follows its Code of Fundraising Practice. We are committed to being legal, open, honest and respectful in our fundraising activity.

Under our legitimate organisational interest, we may contact you by post to seek your support for our philanthropic priorities. This contact will not be more frequent than once per month and you are able to opt out at any time by using the contact details at the top of this Privacy Policy or by logging into your account and selecting ‘go paperless’ in the contact preferences section.


If you have given consent to email communications, we may contact you to seek your financial support.  If a donation is made online, we will thank you for your donation by return email. We will not contact you via email about any other fundraising opportunity unless you have given us consent to do so. If a donation is made in any other way, we will thank you for your donation as you would reasonably expect us to do so. For example, if a donation is sent via post with a covering letter giving your personal details, we will use this information to thank you by return post.


4. Who we share your information with


In connection with the purposes and on the lawful grounds described above and in addition to the recipients of your information as described above, we will share your personal informationwhen relevant with third parties such as:

  • Our service providers: Service providers we work with to deliver our business, who
    are acting as processors and provide us with:
  1. Website development and hosting services provided by Virtualnet and Spektrix who are based in the UK
  2. IT, system administration and security services Advanced based in the UK and Microsoft Office based in the UK
  3. Marketing service providers based in the UK and advertising services (including the Google AdWords service), analytics providers (including Google Analytics) which are [based in the USA]
  4. [maps services (including Google Maps API), [based in the USA]
  5.  social media plugin services including Facebook, Twitter, Flickr, YouTube and Instagram based in the USA
  6. payment services provided Sage Pay based in the UK
  7. Merchant Service provider First Data Merchant Services [based in the UK]
  8. banking services [based in the UK]
  9. legal, accountancy, auditing and insurance services and other professional advisers [based in the UK]
  10. recruitment service providers [based in the UK]; and
  11. Local Authority and External examination Boards [based in the UK].
  • External arts organisations: external organisations such as the such as Arts Council England and the Audience Agency. We will only send these organisations anonymised information
  • Marketing parties: any selected third party that you consent to our sharing your information with for marketing purposes
    Prospective sellers and buyers of our business: any prospective seller or buyer of such business or assets, only in the event that we decide to sell or buy any business or assets
  • Other third parties (including professional advisers): any other third parties (including legal or other advisors, regulatory authorities, courts, law enforcement agencies and government agencies) based in the UK where necessary to enable us to
    enforce our legal rights, or to protect the rights, property or safety of our employees or where such disclosure may be permitted or required by law.


We require third parties to maintain appropriate security to protect your information from unauthorised access or processing.


5. How we keep your personal information safe


We use appropriate technological and operational security measures to protect your information against any unauthorised access or unlawful use, such as: 

  • ensuring the physical security of our offices or other sites
  • ensuring the physical and digital security of our equipment and devices by using appropriate password protection and encryption
  • maintaining a data protection policy for, and delivering data protection training to, our employees
  • limiting access to your personal information to those in our company who need to use it in the course of their work.

How is customer information secured?
Your personal information is stored in our secure ticketing, marketing and fundraising system, Spektrix. Spektrix are industry specialists and have high-level security measures in place. Their servers are in a tier IV data centre in the UK with 24/7 onsite security and tightly restricted access control. For further information, please refer to the Spektrix privacy policy.

Access to customer information is strictly controlled. The Spektrix system can only be accessed by our staff who need it to do their job and Spektrix staff when instructed by us for service support. Certain information, for example some sensitive personal information such as, for example, Access requirements, is additionally controlled and is only accessible to members of staff who have reason to work with it. All staff are required to adhere to our data protection policy and are subject to a duty of confidentiality.


We occasionally employ other organisations to help fulfil our activities and agreed communication with you. For example, we work with a mailing company to send out our bi-annual season brochure. When we do this, we will only give authority for the personal information to be used for the purpose it has been provided for. We will ensure that any third parties have safeguards in place to keep your personal information secure. 


How is financial data secured ?
If you use your credit or debit card to purchase from us or to make a donation, we will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). You can find more information about this standard here
https://www.itgovernance.co.uk/pci_dss 


We optionally allow you to store your card details for use in a future transaction. This is carried out in compliance with PCI-DSS and in a way where none of our staff members are able to see your full card number. We never store your 3- or 4-digit security code.


Our finance data is secured via a managed hosting service delivered by Advanced. All managed hosting services are delivered exclusively from data centre facilities in England. Customer data is not transferred or stored outside of these facilities. Advanced’s internal networks are segregated to restrict access to areas of the networks that contain this data, with RBAC (Role Based Access Control) further restricting access to specific individuals within certain roles. Advanced deploys market leading next generation firewall appliances to protect the Private Cloud environment from malicious attack. Network devices are managed within a secure management network and servers
are secured by firewalls. In both instances SSL/TLS secure encryption protocols are used. Remaining data is stored and accessed from our Microsoft Office 365 tenancy, using a selection of SharePoint Online, OneDrive and Office 365 Applications. This data is secured and replicated across the highly resilient Microsoft Data Centre Network in the UK region, ensuring that the highest standards of data security are in place.


We occasionally employ other organisations to help fulfil our activities and agreed communication with you. For example, we work with a mailing company to send out our bi-annual season brochure. When we do this, we will only give authority for the personal information to be used for the purpose it has been provided for. We will ensure that any third parties have safeguards in place to keep your personal information secure.


6. International transfers of your information


We will not transfer, process or store your personal information anywhere that is outside of the European Economic Area, unless one of the following transfer solutions are implemented: 

  1. We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data
    in non-EU countries
  2. Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, European Commission: Model contracts for the transfer of personal
    data to third countries
  3. Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission:
    EU-US Privacy Shield.


Please contact us using the contact details at the top of this Privacy Policy if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.


7. How long we keep your personal information


We store personal information for as long as it is necessary to fulfil the purposes, we collected it for, including for the purposes of legal, accounting, reporting or booking requirements. We retain personal information based on the nature, sensitivity and purpose the personal
information was collected for.


We review our data retention processes regularly. We operate a data retention policy and look to find ways to reduce the amount of information we hold about you and the length of time that we need to keep it.


8. How you can help keep your information safe


You can also play a part in keeping your information safe by:

  • choosing a strong account password and changing it regularly
  • using different passwords for different online accounts
  • keeping your booking references and passwords confidential and avoiding sharing your login with others
  • making sure you log out of the website each time you have finished using it. This is particularly important when using a shared computer
  • letting us know if you know or suspect that your account has been compromised, or if someone has accessed your account without your permission
  • keeping your devices protected by using the latest version of your operating system and maintaining any necessary anti-virus software
  • being vigilant to any fraudulent emails that may appear to be from us. Any emails that we send will come from an email address ending in @watermill.org.uk or from our email marketing address: Watermill.Theatre@arts-mail.co.uk

9. Your rights to your personal information


You have certain rights in respect of the information that we hold about you, including:

  • the right to be informed of the ways in which we use your information, as we seek to do in this Privacy Policy
  • the right to ask us not to process your personal data for marketing purposes
  • the right to request access to the information that we hold about you
  • the right to request that we correct or rectify any information that we hold about you which is out of date or incorrect 
  • the right to withdraw your consent for our use of your information in reliance of your consent, which you can do by contacting us using any of the details at the top of this Privacy Policy
  • the right to object to our using your information on the basis of our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground
  • the right to receive a copy of any information we hold about you (or request that we transfer this to another service provider) in a structured, commonly used, machine readable format, in certain circumstances
  • in certain circumstances, the right to ask us to limit or cease processing or erase information we hold about you
  • the right to lodge a complaint about us to the UK Information Commissioner’s Office (https://ico.org.uk/) as well as a right to lodge a complaint with the relevant authority in your country of work or residence.


You may contact us via the details at the top of this Privacy Policy if you wish to action any of these rights and we will comply with your requests unless we have a lawful reason not to do so. There is no fee for you to exercise any of these rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

If you choose to exercise any of these rights, we may need to request certain information from you to help us confirm your identity. This is a security measure to ensure that personal information is not shared with anyone without the right to receive it. We may also contact you
to ask you for further information in relation to your request to speed up our response.


We aim to carry out all requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

10. Third-Party Links


Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy
statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.


11. Notifications of changes to our Privacy Policy


This Privacy Policy may change from time to time. We will notify you of any fundamental changes to this Privacy Policy where you would reasonably expect to be informed. For example, by publishing any updates on our website or by emailing you. Please visit the website for our most up-to-date Privacy Policy or to receive a paper copy, send a stamped addressed envelope to the address at the top of this Privacy Policy.


12. Updating your personal information


It is important that the personal data we hold about you is accurate and current. To change any of the information we hold about you or to make changes to the way we contact you, please log into your account on www.watermill.org.uk, email admin@watermill.org.uk or write to us using the contact details at the top of this Privacy Policy.


This Privacy Policy was updated on 22nd May 2019.