The University has an appointed Data Protection Officer. Their postal address is:

Data Protection Officer,
B16, Lenton Hurst,
University of Nottingham,
University Park,
Nottingham
NG7 2RD

They can be emailed at dpo@nottingham.ac.uk.

One of our responsibilities as a data controller is to be transparent in our processing of your personal data and therefore tell you about the different ways in which we collect and use your personal data. We also want to maintain the trust and confidence of every one of our audience members and supporters, as well as each visitor who uses the Lakeside Arts website.

Specifically, we use your information in the following ways:

To carry out our business and to provide a service or carry out a contract with you:

• Fulfil ticket, gift voucher, merchandise, donation and membership requests.
• Process payments. Please note that Lakeside Arts does not store any Credit Card or other payment information once the transaction has been completed. We will ensure that this is carried out securely and in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).
• Provide the best possible customer service and to help us with internal administration.
• Undertake due diligence in accordance with our Gift Acceptance Policy.
• Contact you with important information relating to your booking or purchase, such as confirming your order, reminding you of an upcoming performance you’ve booked for or letting you know about changes or building works that may affect your visit.

Where we have your consent:

• Send you updates about what’s on, ticket offers and news.
• Contact you about a specific genre or topic that you’ve requested to hear more on such as exhibitions, family events or other projects.
• Share your details with other arts organisations (e.g. Fabric) whose work you will have booked for through Lakeside Arts. You will always be able to opt out of their communications by contacting them directly.

Where we have justifiable reason (including legal obligation and legitimate interest):

• Learn about your interests, preferences and motivations for engaging so that we can contact you with information that is relevant to you.
• Help us target our marketing communications and adverts so that they’re more relevant to you.
• For classifying our audience into groups or segments, using booking, publicly available, and purchased geo-demographic/behavioural profile information. These segments help us to understand our audience better and ensure we’re sending relevant messages to each group.
• Measure and understand how our audiences respond to a variety of marketing activity so we can ensure our activity is well targeted, relevant and effective.
• Undertake consumer research: we may contact you to ask you to participate in consumer research either via an online or telephone survey or in person. You are under no obligation to participate in research and, should you provide any further information, Lakeside Arts will inform you how any further information will be used.
• Analyse and continually improve the services we offer including our artistic output, our website and our other products.
• To keep our database accurate and relevant.
• Detect and reduce fraud and credit risk.

In all of the above cases we will always keep your rights and interests at the forefront to ensure they are not overridden by our own.

Processing Special Category personal data

Data protection law recognises that certain categories of personal information are more sensitive, such as health information, race, religious beliefs and political opinions. We collect and use some Special Category data for two reasons:

1. To understand medical and dietary needs of those engaging with our programme in order ensure that we are able to deliver events safely (e.g. collecting and processing data relating to pre-existing medical conditions for workshops for 18s and under so we are informed and able to act appropriately when a child or young person is under our supervision).
2. To monitor and report on the types of people engaging with our artistic programme and ensure that we are serving a broad section of society with our work (e.g. monitoring the ethnic diversity of those engaging and comparing those statistics with regional census data).

We will always aim to anonymise this data where possible. Where this is not possible we will obtain explicit consent to process when requesting this information and the collection of data to only what is absolutely necessary.

We collect information in a number of ways which are listed below:

• When you create an account at www.lakesidearts.org.uk. Your account allows you do the following: Buy tickets for events; Make a donation; Register for special and genre interest lists (e.g. family shows, exhibition openings, talks and lectures).
• Contact us by phone to book tickets.
• Book tickets in person at the box office.
• Contact us by post or email (e.g. application or donation forms).
• Complete a survey or form during or following a visit to Lakeside.

The type of information we collect depends on where and when it is gathered, and in what context.

When you create an account with us, register on our website, purchase tickets online, in person or by phone, or make a donation we need to collect information from you in order to provide the service you are requesting. We may collect:

• Prefix and name.
• Gender.
• Email address.
• Date of birth.
• Contact phone number(s).
• Payment card details (we will not hold payment information for any longer than it takes to process your transaction).
• Information required to process a donation (including any Gift Aid claims).
• Delivery address(s).
• Billing address.

When visiting our website we may collect the following information:

• Automatically populated IP address: a public IP address is a unique number which allows a computer, group of computers or other internet connected device to browse the internet. The log file records the time and date of your visit, the pages that were requested, the referring website (if provided) and your internet browser version. This information is collected to help diagnose and manage the website, to audit the geographical make-up of users, and to establish how they have arrived at the website.
• Cookies: for further information about Cookies and how we use them, please read our Cookie Policy.

Information we obtain independently from you:

Third Party Organisations
We may combine information you have given to us with this additional information available from external sources. This will only be done when you give permission to the relevant third party organisations to share the data they hold on you, or if the data is already publicly available.

Data Hygiene
From time to time we may screen our database against a recognised data hygiene file (such as a National Change of Address file) and cleanse our file or correct inaccurate data. We may also update inaccurate data if the information is available.

Social Media
Depending on your settings or the privacy policies for social media and messaging services like Facebook, WhatsApp or Twitter, you may give us permission to access information from those accounts or services.

Information available publicly
We may include information found in places such as Companies House and information that has been published in articles/ newspapers.

We may share your details with:

• Service providers who work on our behalf for the performance of any contract we enter into with them or you (e.g. payment processing, printers and mailing houses, marketing agencies, database services, website hosting or email delivery service).
• Named third party organisations if you ticked the relevant opt-in box when you purchased tickets. In these instances, we may supply your personal information to that specific organisation only.
• Third party data services, for example Morris Hargreaves McIntyre, who help us to segment and understand our audience by providing additional information so that we can send the most relevant and targeted communications possible.
• Where required to do so (for example, if required to do so by the ‘know your donor’ principles under charity law or a court order), or when requested by the police or a regulatory or government authority investigating illegal activities.

Transfers of and access to your data outside of Europe

We do not regularly transfer personal data to companies based outside of Europe. However, Spektrix Ltd may transfer or provide access to personal data to its affiliate Spektrix Inc in the United States of America in order to provide technical support services. Spektrix makes this data transfer in accordance with UK GDPR, GDPR and DPA (via the operation of EU and UK approved standard contractual clauses).

Elavon and dotdigital operate globally and as such reserve the right to store and process personal data in any countries outside of the United Kingdom and European Economic Area that are subject to different standards of data protection. Both Elavon and dotdigital take appropriate steps ensure that transfers of personal data are in accordance with UK GDPR, GDPR and DPA and is carefully managed to protect your privacy rights and interests and transfers are limited to countries that are recognised as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights.

Like us, Spektrix is committed to delivering robust security and privacy procedures to ensure we maintain the confidentiality, integrity and availability of data stored in their system. Specifically Spektrix:

• Use industry-standard encryption to protect personal data and communications during data transmissions.
• Do not store payment information.
• Have strict policies in place on accepting management or support requests.
• Conform with the PCI-DSS standard for the handling of cardholder data and are audited annually as a PCI Level 1 provider.
• Provide unique user accounts and login details for all users, with the system allowing differing levels of access, ensuring users only have access to the areas of the system required.
• Have various measures in place to ensure operational security, with annual audits and security testing.

Right to be informed
We will ensure you have sufficient information to ensure that you’re happy about how and why we’re handling your personal data, and that you know how to enforce your rights. We provide information in the form of privacy notices. You can read all of our privacy notices online.

Right of access / right to data portability
You have a right to see all the information we hold about you. Where data is held electronically in a structured form, such as in a database, you have a right to receive that data in a common electronic format that allows you to supply that data to a third party – this is called “data portability”. To make a request for your own information please see our Data Protection website.

Right of rectification
If we’re holding data about you that is incorrect, you have the right to have it corrected. If you have any concern about the accuracy of your personal data, please let us know using the below contact details.

Right to erasure
You can ask that we delete your data and where this is appropriate we will take reasonable steps to do so. If you would like us to remove the personal information we hold about you, please contact us using the below contact details.

Right to restrict processing
If you think there’s a problem with the accuracy of the data we hold about you, or we’re using data about you unlawfully, you can request that any current processing is suspended until a resolution is agreed. Please email any related request to our box office team using the below contact details.

Right to object
You have a right to opt out of direct marketing. You have a right to object to how we use your data if we do so on the basis of “legitimate interests” or “in the performance of a task in the public interest” or “exercise of official authority” (a privacy notice will clearly state to you if this is the case). Unless we can show a compelling case why our use of data is justified, we have to stop using your data in the way that you’ve objected to. If you wish to object to us processing your data, please let us know using the below contact details.