This new law is built around the principles of transparency and control, something the BSO has always taken pride in offering. So, to help you retain control of your data, our updated policies offer more detail on what we collect, how we use it, and your rights. Whenever you provide personal information, we will treat that information in accordance with the current UK General Data Protection Regulation (which superceded the EU GDPR on 1 January 2021) and related privacy legislation and will aim to meet current internet best practice.
The UK GDPR is substantially similar to the EU GDPR. For instance, data subjects still have the same rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling.
There are still six data processing principles and six lawful bases for lawful processing, and we will continue to ensure the security of the personal data that we process. However, the EU GDPR will still apply if we process EU residents’ personal data.
Your personal data
We collect, hold and process personal data about actual/prospective/former Members of the BSO, BSO customers, actual/prospective/former BSO Members, service users (including users of our website), partners, business contacts, staff (musicians and administration) and trustees.
The BSO holds and processes personal data for the following purposes, as applicable:
- Managing membership of the BSO
- Managing members’ rights under the BSO’s constitution
- Managing access to our services and events, including centralised services to the benefit of our customers’ legitimate business interests
- Sending out information we reasonably believe may be of interest to customers and Members, for example newsletters, future concert information and other participatory workshops/sessions and fundraising events
- Seeking information about customers’/BSO Members’ views on relevant issues or their organisation
- Seeking feedback on concerts/events
- Forwarding anonymised details to specific third-party advisers for the purposes of industry research and advocacy in compliance with our National Portfolio Organisation funding agreement with Arts Council England. This assists with reporting to funders and strategic planning, helping us to make better business decisions
We may use third party suppliers’ systems to process data on the BSO’s behalf (eg. cloud-based IT networks, CRM, email marketing and event booking systems) on a secure and confidential basis.
We will not share your data with other third parties without your permission or for commercial gain.
The BSO may disclose personal information if required to do so by law, or if it believes that such action is necessary to protect and defend the rights, property or personal safety of the BSO, its premises or its visitors.
In cases where you have consented to our use of your personal information for a specific purpose you have the right to change your mind at any time. Where we are using your information because we have a legitimate interest to do so, you have the right to object to that use.
We may also store and use photographic images and video footage of customers/BSO Members and event attendees. You have the right to object to this if you wish, to do so please contact our Data & CRM Officer at firstname.lastname@example.org
Whenever we process data for these purposes we will ensure that we always keep your personal data rights in high regard and take account of these rights. You have the right to object to this processing if you wish, and if you wish to do so, or to opt out of our communications, please contact email@example.com or update your contact preferences by logging in to your online account or using the ‘Unsubscribe’ link at the bottom of any BSO email. Please bear in mind that if you object this may affect our ability to carry out the tasks above for your benefit.
The BSO places great importance on the security of all personally identifiable information associated with our customers and Members. We have implemented technology and policies to safeguard your privacy from unauthorised access and improper use and will continue to update these measures as necessary.
You have a right to access the personal information we hold about you at any time. If you wish to do this, please contact our Data & CRM Officer at firstname.lastname@example.org who will be in touch to gain the relevant identification from you, and will provide results of your access request within one calendar month.
Third Party data processors
Like most organisations we rely on several third-party providers to support our day-to-day operations, for example in areas such as online file storage, email delivery and off-site storage facilities. We may also hire third parties to operate, maintain or improve our website and other digital services. Some of these service providers will by necessity have access to or be directly involved in processing or storing a subset of the personal information you share with us.
All our third-party data processors have been carefully chosen as service suppliers who also practise responsible data handling. We believe that each has in place appropriate protections to ensure the security of the data we store or process with them and have clear policies for how they treat that data. But if in doubt you should review their individual privacy policies.
Before using or sharing your information with third parties in ways not described here or previously authorised by you, we will provide you with notice and an opportunity to control the further use or disclosure of your personal information.
Transfers outside of the UK or European Economic Area
Under certain circumstances we will transfer your information outside of the European Economic Area. We will only do this with your informed consent, when it is necessary to perform a contract we have with you or where the receiving organisation has adequate safeguards in place – for example certification under the EU-U.S. Privacy Shield framework.
We consider it in the legitimate interest of yourself and the BSO, and an important part of your membership, to contact you regularly with relevant information in the form of regular newsletters and event updates and, from time to time, with marketing information or to seek information about you and your views. You may opt out of these communications at any time by clicking unsubscribe on the email, but please bear in mind that if you opt out of these communications you may not receive information which will help you make the most of the benefits of BSO membership. Should you choose to opt out we will still contact you regarding the administration of your membership e.g. membership renewals and payments. We may also contact you regarding the role of members in the running of the BSO, for example our annual general meeting and board elections. We need to process your data in this way in order to carry out our contractual obligation to you and manage your rights under the BSO’s Articles of Association. It is therefore not possible for members to opt out of such communications.
General browsing and the BSO website
Our website is hosted by Every City Ltd, a UK-based data centre, managed by Cog Design Ltd. When you visit our website or access one of the files stored on our web server, information about this request will be automatically stored in our log files to provide usage statistics, enable security features and aid technical troubleshooting. This is on the legal basis of legitimate commercial interests. In these cases, your IP address at the time acts as a unique identifier and is stored along with information about your operating system, browser version and the pages/files you access. These logs are retained on the server for up to 60 days, after which they are automatically deleted.
Like most organisations we use Google Analytics to help understand how our website is being discovered and interacted with and we use this information to help improve the experience for our visitors and make decisions about future development. Google Analytics presents us with aggregate information about the geographic location, device types and operating systems used by our website visitors, but not in a way that personally identifies you. Additionally, Google will record your computer’s IP address and set a number of temporary cookies in your browser to help distinguish you as an individual visitor as you move around our site. In the interests of limiting the amount of data Google collects via our site we are using Google’s standard Analytics implementation and have not enabled any additional advertising features, such as re-marketing tags which would tie your usage of our site in with your broader browsing habits.
CRM and email marketing
We use Spektrix Ltd and dotdigital (formerly dotmailer, part of the dotdigital Group PLC) to facilitate communication with our members and partners. So, when you choose to receive mailings, the email address and name you submit will be held securely by the BSO, Spektrix and dotdigital.
The Spektrix servers are located in the UK and Spektrix will not share your information with any unauthorised third parties or contact you directly at any time.
The dotdigital servers are based in Europe and so your information may be transferred to, stored, or processed outside of the UK. dotdigital participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework, which certifies that is has adequate safeguards in place. dotdigital uses third parties to host the dotdigital application servers for the provision of the Services. As a respected email marketing provider dotdigital will not share your information with any unauthorised third parties or contact you directly at any time.
You can update your details or opt-out of our emails at any time using the ‘Unsubscribe’ or ‘Email Preferences’ links found at the bottom of every email we send or by logging in to your online account and changing your contact preferences. If you unsubscribe, both Spektrix and dotdigital will retain your email address for the purposes of a suppression list to ensure that no further marketing messages can be sent unless you actively choose to opt-in again.
Concerts and events ticket booking
When booking tickets or registering to attend our events directly via the BSO website you will complete a booking form which then sends a form to our email servers. Online and card payments are processed by Sage Pay, a UK payment processing company. We then input the information you provide, which includes your name, telephone number, postal address and email address into our main database. If you book tickets for a BSO concert through the venue at which the performance takes place, your data will be held by them and you may be contacted by them directly. You should review their privacy policies at the time of booking. We may receive your information from them so that we can add your details to our database so that we can inform you of future BSO concerts/events and other fundraising activities as part of data sharing agreements with the venues. The BSO will then inform customers new to the BSO database that we have received this data within 30 days and restate that they have the opportunity to opt out at any time. This information will be available to us for our legitimate interest in keeping financial records, controlling access to our concerts/events and providing attendees with essential event information via email.
Job vacancy submission
When you submit the details of a job vacancy the information you provide is sent to us by email. This includes your name, email address, telephone number and place of work. This information will only be used by our team for the purpose of processing your job vacancy submission. We will also record your IP address and a timestamp for the purposes of fulfilling our obligation under data protection regulations to appropriately log submissions of personal data.
On its way to us your message will pass through anti-spam filters operated by Keyfort Ltd and Microsoft to identify poor quality content or viruses. These are automated processes with no human involvement. These third parties will only access email content under very limited circumstances, such as investigating fraudulent or abusive activity.
Because your submission can include attachments and other information we can’t limit what data you share with us. We request that you only share information directly relating to your submission and that you have the appropriate consent to disclose the information you share.
When you send us an email, either through the contact form on our website or to an individual member of staff, we will collect your email address and any other information you provide within your email.
Microsoft are our email service provider so any emails you send us will be stored on their servers. Therefore, your email and any associated personal data may be transferred outside of the European Economic Area to servers located in the USA. Microsoft’s certification under the EU-U.S. Privacy Shield Framework commits it to maintaining appropriate safeguards for international data transfers.
The information you provide will only be processed in relation to the purpose of your correspondence with us. We have no fixed retention period for email correspondence, but we are committed to only storing your data for no longer than is necessary to serve our legitimate interests of record keeping or to perform a contract we have entered into with you.
Personal data breaches
Questions & access requests
The Data Protection Act (DPA) 2018 gives you the right to know what personal data we hold, to have it updated if it is inaccurate or removed entirely if you no longer consent to our use of it. We will endeavour to respond to any such requests within one month confirming receipt and outlining what follow-up actions will be taken and when.
Bournemouth Symphony Orchestra
2 Seldown Lane