UPDATED Sept 2020
GymJam are a professional performing arts company.
GymJam is committed to protecting your personal information and being transparent about the information we hold, whether you are a collaborator, audience member, job applicant, customer, website visitor, or a participant in one of our workshops.
The purpose of this policy is to provide a clear explanation about how GymJam collect, hold process and store your information and the measures we have in place to keep it safe and secure, whether it is collected or provided online, by phone, email, in person, by letter or through social media.
For the purpose of the GDPR (General Data Protection Regulation, 2018) the data controller is GymJam. If you want to know what information we hold about you or if you have any other queries in relation to this Privacy Notice, our contact details are as follows:
GymJam collects, holds and processes personal data from our employees, collaborators, applicants, workshop participants, customers and audience members.
When we say personal data or personal information, we mean the details that you may provide about yourself and any information which identifies you, such as your name, address, email address, telephone number, country of residence or any photographs.
We do hold some sensitive information when there is a clear reason for doing so, for example if you participate in our workshops, we may need to know about your health. As a funded organisation, certain funders may require us to collect information about gender, ethnicity, religious beliefs, socio-economic background or sexuality, which we will also collect anonymously from job applicants. We will keep this information securely in password protected locations, only accessible to relevant staff members. We only retain this information for as long as required to report on our work to our funders, before destroying/deleting. While holding this information, we will also anonymise it wherever possible.
Collecting your Information
We may collect personal information about you when you ask about our activities, register and participate in workshops or events, make a donation, volunteer for us, buy something from our shop, sign up for our newsletter, contact us online, by phone or in writing or collaborate with us on any of our productions or projects.
Most of the personal information we hold is provided directly from the person themselves, but some data could be provided by third parties such as fellow collaborators, referees, workshop leaders or managers or partner venues.
We will occasionally share personal data with other organisations where it is of legitimate interest, such as sharing production contact lists with venues hosting our shows or attendee lists for venues hosting GymJam workshops.
Third party services may also collect information on our behalf such as Just Giving, Eventbrite (for administering events), Wix and Paypal for purchases made in our online shop or payments for workshops. These companies will also have their own privacy statements.
GymJam have social media accounts on Instagram, Twitter, YouTube and Vimeo. Depending on your settings or the privacy policies for these sites, by connecting with us on any of these channels you might give us permission to access your information on those accounts or services.
If you are a donor we may use a number of basic research tools to estimate your potential interest in supporting us further.
We know that our donors would expect us to have ascertained a level of interest and considered the appropriateness of a request for donations before approaching them. We therefore research some of our customers and supporters and occasionally potential supporters to find shared interests. This research may include information we hold on them and publicly available information (for example, through social media, Companies House and the Charities Commission), where they live, their age and similar demographics. In some cases, we will rely on legitimate interest for processing data of potential supporters; this information will help us meet our obligations to protect the charity from financial fraud and risk
How we use your information
We will only use your information for the following purposes:
To provide you with information about our online content or activity that you have agreed to receive.
For marketing purposes where you have specifically consented to receive marketing communications from us.
For recruitment purposes.
To produce and facilitate touring theatre productions and workshops with host venues and co-producers.
For fundraising purposes.
To process online payments and set up direct debits.
To claim Gift Aid to fulfil sales and purchases.
To communicate with participants of our events and workshops about event details.
For internal record keeping.
To invite you to participate in surveys or research.
To develop aggregated data for analysis and reporting to funders.
To analyse and improve the activities and content offered.
Additional information for job applicants, employees and collaborators:
If you apply for a role with GymJam, we will hold the personal information you provide to process your application and we may undertake monitoring of recruitment statistics as required by employment and data protection law.
If we want to disclose information to a third party, for example where we want to take a reference up or obtain “disclosure” from the Disclosure and Barring Service, we will not do so without asking you beforehand, unless the disclosure is required by law.
If you apply to work with us we’ll only hold your data for the purposes of that application. We won’t hold your personal information for any longer than is necessary for the purposes of that application, unless you give us permission to do so.
We take the security of your data seriously. All digital personal information has appropriate technical controls in place to protect your data; any sensitive information is kept encrypted or password protected locations and personal information is deleted when no longer required for the original purpose.
Hard copies of personal information are stored in locked locations with access limited to relevant staff only.
Our network is protected and routinely monitored. We regularly undertake reviews of who has access to what information to ensure that access to personal information is restricted and appropriate.
Where we use external companies that may process data on our behalf we will check that these companies comply with the law and our policy before working with them.
We will only share your data where we have your explicit and informed consent, unless we are required to disclose your details to the police, regulatory bodies or legal advisors for a lawful basis.
If GymJam are responsible for personal data which is lost, stolen or hacked, we have a duty to report this breach to the ICO within 72 hours of becoming aware of it. If the breach is “high risk” and likely to have an impact on the individuals affected, we will inform them as soon as possible.
Retention of your data
We regularly review the length of time we keep personal data, and will only keep your information for as long as required to complete the original purpose of collection. If required to report on employees, attendees of workshops or productions for funding purposes, we will retain the information up to the point where we have reported the relevant information to our funders.
Unsuccessful job applicants will have their data deleted after six months after the appointment has been made. If a candidate was second choice for a role, we may retain their information until the probation period has been completed by the candidate appointed.
GymJam maintain a retention schedule to track personal information held by the company and to ensure that information that is no longer required for its original purpose is securely deleted in a timely manner. This allows us to track documents which may need to be retained for longer; for example, HR documents for employees must be retained for six years after employment ends for legal reasons.
Your Right to Access your Data
You have the right to request the information we hold about you at any time by submitting a written Data Subject Access Request. We will require proof of ID before releasing any information and will charge an administration fee of £10.
We will provide you with a description or copies of your information held by ThickSkin within 30 days, unless your request is particularly complex, in which case it may take up to 3 months.
Your Right to Correct Incorrect Information and Your Right to Be Forgotten
You have the right to keep your personal data accurate and up to date. If you have reason to believe that ThickSkin holds incorrect or out of date information about you, please make a written request by email@example.com and we will respond within 30 days regarding your request to rectify, erase or destroy that data.
You have the right to be forgotten. If you would like your personal data held by GymJam to be erased, please make a written request by contacting firstname.lastname@example.org We will respond within 30 days.
We will erase the data as requested if it is no longer necessary for the purpose it was originally collected, or if you initially consented to us holding the information and have now withdrawn consent, if the information was collected and retained on a legitimate interest basis which no longer applies or we need to comply with a legal obligation.
The right to be forgotten does not apply when the information needs to be retained to perform a task in the public interest, comply with a legal obligation, or to exercise the right of freedom of expression and information, or for the establishment, exercise or defence of legal claims. The right will also not apply in cases where processing is required for public health purposes in the public interest.
Other reasons why a request to be forgotten may be denied is if it is manifestly unfounded or excessive or whether the request is repetitive in nature.
Your Right to Complain to the ICO
If a request is denied, we will inform you of this within 30 days and tell you the reasons we are not taking action. We will also inform you of your right to make a complaint to the ICO or Charities Commission, and your ability to seek to enforce the request through legal action.
Privacy Notice Review
We regularly review this Privacy Notice to ensure that it is up to date and fit for purpose. We will notify you about any significant changes to the way we treat personal information by sending a notice to the primary email address you have provided or by placing a prominent notice on our website.