COVID-19 related processing:
While pandemic conditions persist, Kingston Theatre Trust may need to collect, share and
otherwise process personal data in accordance with Government guidance. This may be for
public and individual health by seeking to limit the spread of coronavirus (COVID-19).
collect from you or that you provide to us. Please read it to understand how we use and protect your
personal information. This policy may change from time to time so please check it periodically. It was
last updated on May 12th, 2020.
We are committed to protecting your personal information and being transparent about what
information we hold about you. Using personal information allows us to develop a better
understanding of our patrons and in turn to provide you with relevant and timely information about
the work that we do - both on and off stage. As a charity, it also helps us to engage with potential
donors and supporters.
The purpose of this policy is to give you a clear explanation about how we use the information we
collect from you directly and from third parties. We use your information in accordance with all
applicable laws concerning the protection of personal information. This policy explains:
• What information we may collect about you
• When and how we may use that information
• In what situations we may disclose your details to third parties
• How we keep your personal information secure
• How long we maintain it for and your rights to be able to access it
1. Contacting Rose Theatre Kingston
For the purpose of the General Data Protection Regulation (GDPR) the data controller is Kingston
Theatre Trust trading as Rose Theatre Kingston, which is a charity funded by a number of local
organisations, trusts and foundations, individual donors and supporters. Our registered charity
number is 1000182 and we are also registered as a company in England and Wales under
registration number 2497984.
If you want to know what information we hold about you or if you have any other queries in relation
FAO: Data Protection Team
24-26 High Street
KT1 1 HL
Email: [email protected]
Please note: If you wish to opt out of any communication or amend your contact preferences, you
can do so by logging into your account or by contacting us as per the details above.
2. What personal information we collect
2.1 Information you give us – For example when you register on our website, buy tickets, make a
donation, register for a workshop or other activity, we’ll store personal information you give us such
as your name, email address, postal address, telephone number and card details. We will also store
a record of all your orders and donations. This information will be held on our system and may be
used for operational purposes, such as the processing of bookings and orders in connection with our
online ticket ordering services and for mailing list subscriptions (see Section 4. How and why we use
your personal data).
In order to process a transaction, your personal information and card details may be passed to third
party service providers. Card details will only be used for the purpose of handling an individual
transaction unless you opt to store them for future transactions (see Section 8. Security – How we
protect your data).
2.2 Young people – our policy is to take bookings for events or activities from people aged 18 years
and over. We may ask you to confirm your age when you book an event with us and, if you book a
workshop or other activities for young people aged 18 or under, we may ask for extra information,
such as the young person’s name, date of birth, school, parent or guardian’s name, address, email,
emergency contact, photo/filming consent. We will use this information where we are satisfied that
we have a legitimate interest to do so, for example, to provide information in advance of an event,
to monitor attendance at a workshop, and to provide a safe environment for all participants. We
may also ask for information about any relevant disability or health issues. We will only use this
information where we have consent to do so or, if the person is under 18, we will ask for the parent
or guardian’s consent. This information will be held on our system and used for operational
purposes only, such as for the fulfilment of your booking or order (see Section 4. How and why we
use your personal data).
2.3 We may receive some information that you submit to any third party website that you access
from a link contained in the Rose website. Both we and the owner or operator of that third party site
of that website to find out how they will use your data. We will only use that information in
2.4 Special categories of personal data – data protection law recognises that certain categories of
personal information are more sensitive such as health information, race, religious beliefs and
political opinions. We do not usually collect this type of information about our patrons unless there
is a clear reason for doing so. For example, we may collect health information about patrons with
specific access requirements or participants in our programme of classes and courses in line with our
legitimate interest to provide a safe environment for all patrons and participants. When processing
this data, we will always ask for your consent first. This information will be held in our system and
will only ever be used for the purposes of fulfilling your booking or order to the best of our ability.
2.5 We may also collect generic information about your visit or use of the Rose website such as your
IP addresses, geographical location, browser type, referral source, length of visit and number of page
views. We may use this information for security purposes as well as, but not limited to, optimising
the use of the Rose website. For example, we may use third party contributors such as analytics
service providers for website traffic analysis and reporting and to track information such as which
browser, screen resolution and IP address you are using to access our website, in addition to
tracking your movements around our website. This information is always anonymized unless it is
required for legal or security purposes.
3. The legal basis we rely on to process your personal data – According to current data protection
laws, there is a series of bases under which we may process your data. These include:
3.1 Contractual obligations – when you make a purchase from us, you are entering into a contract
with us. In order to perform this contract, we need to process and store your data. For example, we
may need to contact you by email or telephone in the case of cancellation of a show, or in the case
of problems with your payment.
3.2 Legitimate interest – In certain situations (when you make a donation for example) we collect
and process your personal information to pursue our legitimate interests in a way which might be
reasonably expected as part of running our business and which does not materially impact your
rights, freedom or interests. When you book a ticket or activity we may also use your booking history
to send you personalised offers or marketing information by email or post about similar events and
initiatives that we think may be of interest to you (you may opt-out of receiving these at any time
using the contact details at the beginning of this policy). For research and reporting purposes (mostly
anonymously), we also combine the booking history of many patrons to identify trends and ensure
we provide best customer service. Please see paragraph 5. Disclosure of your information to check
where we may use this basis for processing.
3.3 With your explicit consent – In certain situations, where the two bases above are not
appropriate, we will instead ask for your explicit consent before using your personal information. For
example, when you tick an opt-in box to receive specific communications. When collecting your
personal data, we’ll always make clear to you which data is necessary in connection with a particular
service or offer.
3.4 Legal compliance – If the law requires us to, we may pass on details of people involved in fraud
or other criminal activity which may affect the Rose.
Less commonly, we may process your personal information where it is needed in relation to legal
claims or where it is needed to protect your interests (or someone else's interests) and you are not
capable of giving your consent.
4. How and why we use your personal data
a) To process or fulfil any bookings or orders that you place online, in person or over the phone
b) To provide you with marketing information by email or text about relevant products,
services and events that you request from us or which we feel may interest you, where you
have consented to be contacted for such purposes or it is our legitimate interest to do so;
c) To provide you with marketing information by phone about relevant products, services and
events that you request from us or which we feel may interest you, where you have
consented to be contacted for such purposes or it is our legitimate interest to do so and we
have checked the telephone preference service and our own marketing preference records.
d) To provide you with marketing information by post about relevant products, services and
events that we feel may interest you, where it is our legitimate interest to do so or you have
consented to be contacted for such purposes;
e) To provide you with marketing communications by post, email, web, text and/or phone
about relevant products, services and news of other third parties that you request from us
or which we feel may interest you, where you have consented to be contacted for such
f) To conduct fundraising activities and to promote the charitable interests of the Rose, where
you have consented to be contacted for such purposes;
g) To administer giving and membership schemes, when you sign up to them;
h) To ensure that our fundraising resources are applied in an effective and efficient manner,
and that any communications we may send you are appropriate and will be of interest;
i) To enable you to create an account and participate in interactive features of our website,
when you choose to do so;
j) To provide customer service in relation to your use of the Rose website, to deal with
enquiries and complaints and to notify you about changes to our services;
k) To administer, support, improve and develop our website, ensuring that its content is
presented in the most effective manner for you and for your computer;
l) To send you (non-marketing) communications required by law or which are necessary to
inform you about our changes to the services we provide to you (eg updates to this Privacy
m) To improve our website, we may analyse information about how you use it and the content
and ads that you interact with. We may also monitor users’ use of the website to enable us
to analyse audience make-up, track booking patterns, review audience attendance and
review other site behaviour in order to determine what other products, services and events
you may be interested in and in order to assist us improve our business generally. We’ll do
this on the basis of our legitimate business interest;
n) To send you surveys and feedback requests to help improve our services – participation in
these is entirely voluntary and you therefore have a choice whether or not to disclose any
information which might be required. We’ll do this on the basis of our legitimate business
interest as this will help us make our products or services more relevant to you.
o) To provide third parties with statistical information about our users but this information will
not be able to be used to identify any individual user.
p) To identify and prevent fraud or any other criminal activity.
5. Disclosure of your information
law, we will not share, sell or distribute any of the information you provide to us without your
5.2 Direct marketing – we aim to communicate with you about the work that we do in ways that you
find relevant, timely and respectful. To do this we use data that we have stored about you, such as
what events you have booked for in the past, as well as any preferences you may have told us about.
We use your explicit consent or our legitimate organisational interest as the legal basis for
communications by post and email. You may opt-out of receiving these at any time using the contact
details at the beginning of this policy.
Being a charity the Rose relies on the support of a range of donors and supporters, when you
purchase tickets you are also given the opportunity to opt in to receiving information about the Rose
fundraising initiatives. We will contact you for these purposes only if the relevant box has been
ticked. You can opt out or change your contact preferences at any time.
When you purchase tickets you are also given the opportunity to opt in to receiving information
from other arts organisations and our sponsors or partners. The Rose will only share your personal
information with these organisations if the relevant box has been ticked. You can opt out or change
your contact preferences at any time.
5.3 Email marketing – When purchasing tickets, workshops or other activities/events, we may send
you information about similar products, services and events which we feel may interest you, where
you have consented to be contacted for such purposes or it is our legitimate interest to do so. You
are given the opportunity to opt out from any marketing communication on every subsequent
marketing email you receive. You can also opt out or update your contact preferences at any time by
logging into your account, or you can alternatively use the contact details at the start of this policy.
5.4 Other processing activities – To comply with our obligations as a charity, we must take
reasonable and appropriate steps to know who our donors are, in order to effectively manage
relationships, particularly when significant sums are being donated. This means that we may conduct
research, including accessing publicly available information on prospective donors or corporate
partners, including individuals and organisations, to ensure that accepting support is in the best
legitimate interest of the Rose. This will help to give assurance that the donation is from an
appropriate source and to safeguard our reputation. This does not mean that we will question every
donation, nor that we will research lots of personal and other details about every donor. Any
information we do collect for this purpose will only consist of what is necessary for us to meet these
requirements and will be processed in line with your rights.
5.5 Third parties – We sometimes share your personal data with trusted third parties, including:
• Any third party to whom disclosure is necessary to enable us to provide you with any service
to which you have subscribed (including, but not limited to, for the purposes of processing
payments, or designing, maintaining and administering the Rose website).
• Any person to whom disclosure is necessary to enable us to enforce our rights under this
• Other carefully selected third parties (eg visiting shows) to contact you about events or
services which may be of interest to you, only if you have consented to be contacted by third
parties for such purposes.
• Direct marketing companies who help us manage our postal and electronic communications
• Audience research companies that may work with us to improve our services to you (in this
case, all data is treated anonymously).
• Google/Facebook to show you products that might interest you while you’re browsing the
internet. This is based on your acceptance of cookies on our website. Please refer to section 6. Cookies for details.
• In order to enforce any terms and conditions or agreements between us.
• As part of a sale of some or all of our business and assets to any third party or as part of any
business restructuring or reorganisation (we will always notify you in advance and we will
aim to ensure that your privacy rights will continue to be protected).
• To protect our rights, property and safety, or the rights, property and safety of others (this
includes exchanging information with other companies, organisations and regulators for the
purposes of fraud protection and credit risk reduction).
In these cases, we require that these third parties comply strictly with our instructions and with data
5.6 If we are required by law or requested by the police or a regulatory or government authority
investigating potentially illegal activities to provide information concerning your activities whilst
using the network we shall do so. We may also disclose personal information to appropriate
third parties to assist in anti-fraud checks and investigations.
In all of the above cases we will always keep your rights and interests at the forefront to ensure they
are not overridden by your own interests or fundamental rights and freedoms. You have the right to
object to any of this processing at any time. If you wish to do this, please use the contact details at
the beginning of this policy. Please bear in mind that if you object this may affect our ability to carry
out tasks above that are for your benefit.
In order to fulfil our obligations to you and deliver the best possible level of customer of care, we
currently use the following companies who will process your personal data (sometimes entirely
anonymously) as part of their contracts with us:
Box Office system: Spektrix
Banking and payment service providers, such as CAF Bank, Metro Bank, NatWest, Global Payments,
Design, website, media agencies and service providers such as Feast Creative, TCS Media, Google
Mailing houses, such as Graphic Design House, Royal Mail
Audience research agencies, web analytics services and data management systems and
communication platforms, such as Audience Agency, Purple Seven, Google Analytics
IT support agencies, such as Focus IT
Social networking websites and services, such as Facebook, Instagram, Twitter
Law firms and legal advisors, such as Moore Stephens, Russell Cooke
Ticket agencies, such as Ticketmaster, Ingresso, Encore, SeeTickets, LittleBird, Travelzoo
small text files that are automatically placed onto your device by some websites that you visit. They
are widely used to allow a website to function (for example to keep track of your basket) as well to
track of your basket as well as to identify how the website is being used and what improvements we
6.2 Therefore, we may send a cookie which may be stored by your browser on your computer’s hard
drive. We may use the information we obtain from the cookie in the administration of the Rose
website, to improve the site’s usability and for marketing purposes. We may also use that
information to recognise your computer when you visit the site, to monitor website traffic and to
personalise the site for you.
6.3 If you do not wish us to install cookies on your computer for these purposes, you may change the
settings on your internet browser to reject cookies. For more information, please consult the ‘Help’
section of your browser. Please note that if you do set your browser to reject cookies, you may not
be able to use all of the features of our site.
6.4 As mentioned above, we may use an analytics service provider (such as Google Analytics) for
website traffic analysis and reporting. Analytics service providers generate statistical and other
information about website use by means of cookies, which are stored on users’ computers. The
information generated relating to the site may be used to create reports about the use of the site
and the analytics service provider will store this information.
7. Third party sites and contributors
7.1 The website may contain links to other websites and microsites that are operated by third
those third party websites and microsites to find out how they collect and use your personal data
7.2 Advertisements contained on our website may operate as links to that advertiser’s websites and
as such any information they collect by virtue of you clicking on that link will be collected and used in
8. Security – How we protect your data
8.1 We employ security measures to protect your information from access by unauthorised persons
and against unlawful processing, accidental loss, destruction and damage. We store all the personal
information you provide, including your login and user details (where applicable), on our secure
servers. All electronic transactions you make to or receive from us will be encrypted using SSL
technology. Only employees and approved contractors/developers we may appoint from time to
time, and who need the information to perform a specific job, are granted access to personally
identifiable information. If you use your credit or debit card to purchase from us or to make a
donation, we will ensure that this is carried out securely and in accordance with the Payment Card
Industry Data Security Standard (PCI-DSS). We optionally allow you to store your card details for use
in a future transaction. This is carried out in compliance with PCI-DSS and in a way where none of
our staff members are able to see your full card number. We never store your 3 or 4 digit security
• We store papers in lockable cabinets in our offices when not being actively used and we
have a secure off-site document storage facility for archived papers.
• Our offices are secure and only personnel holding appropriate security passes can access
areas where personal data are stored.
• When necessary, we dispose of or delete your data securely.
• We ensure that our employees, agents and contractors are aware of their privacy and data
security obligations and we take reasonable steps to ensure that employees of third parties
working on our behalf are aware of their privacy and data security obligations.
• We limit access to your personal information to those employees, agents, contractors and
other third parties who have a need to know
8.2 Regular security reviews are held by us to ensure that the site remains safe and secure for your
8.3 Data transmission over the internet is inherently insecure, and we cannot guarantee the security
of data sent over the internet.
9. International Data Transfer
9.1 Our servers are situated in the UK, however we collect data from wherever users are situated.
The information that we collect may therefore be transferred to the UK from any other country in
which you may be located and will be subject to the UK data protection laws.
9.2 Your personal data may be transferred, processed and/or stored outside the European Economic
Area (EEA), for example if the supplier or service provider of our choice is based outside the EU. If we
transfer your information outside of the EEA in this way, and the country in question has not been
deemed by the EU Commission to have adequate data protection laws, we will provide appropriate
safeguards and we will be responsible for ensuring your privacy rights continue to be protected as
outlined in this notice. By submitting your personal data, you agree to this transfer, storing or
10. Data retention – How long we will keep your personal data
10.1 We will retain your information, including your name, address, email, phone number and card
details (where applicable), for the duration of your membership of the site (where applicable) and
for as long as necessary to fulfil the purposes we collected it for, including for the purposes of
satisfying any legal, accounting, or reporting requirements.
10.2 To determine the appropriate retention period for personal information, we consider the
amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use
or disclosure of your personal information, the purposes for which we process your personal data
and whether we can achieve those purposes through other means, and the applicable legal
10.3 At the end of that retention period, your data will either be deleted completely or anonymised,
for example by aggregation with other data so that it can be used in a non-identifiable way for
statistical analysis and business planning and reporting. If you haven’t used your account for a
number of years, it will be flagged as ‘inactive’ and treated accordingly (we’ll either delete it or
anonymise the data associated with it).
Our retention periods may be extended or reduced if we deem it necessary, for example, to defend
legal proceedings or if there is an on-going investigation relating to the information.
11. Your rights
11.1 Under certain circumstances, by law you have the right to:
• Access the information held about you (commonly known as a "data subject access
• Ask us to make any necessary changes to ensure that it is accurate and kept up to date.
• Ask us to erase your personal information from our files and systems where there is no good
reason for us continuing to hold it.
• Object to us using your personal information to further our legitimate interests (or those of
a third party) or where we are using your personal information for direct marketing
• Ask us to restrict or suspend the use of your personal information, for example, if you want
us to establish its accuracy or our reasons for using it.
• Ask us to transfer your personal information to another person or organisation.
You also have rights in relation to automated decision making which has a legal effect or otherwise
significantly affects you. We do not carry out any automated processing, including profiling, which
produces significant legal effects concerning you.
If you wish to exercise any of these rights, please contact us (see paragraph 1. Contacting Rose
11.2 You may request us to cease sending you any marketing information at any time by updating
your profile and contact preferences online or by notifying us in writing – please see paragraph 1.
Contacting Rose Theatre Kingston. However, if you withdraw your consent to certain types of
processing we may be unable to fulfil our obligations to you (eg provide customer service, process
ticket bookings) or maintain your membership of the Rose website.
11.3 If you are under 18, please ensure that you obtain your parent/guardian's consent beforehand
whenever you provide personal information to the Rose.
12. Queries and Complaints
12.1 If you have any questions about this privacy notice or how we handle your personal
information, please contact us (see paragraph 1. Contacting Rose Theatre Kingston).
12.2 You have the right to make a complaint at any time to the Information Commissioner's Office
(ICO), the UK supervisory authority for data protection issues.
COVID-19: Your Privacy and NHS Test and Trace
If you are visiting our venue we will scan your tickets to record your attendance to our event so that we can take part in the NHS Test and Trace service to help prevent the spread of COVID-19. If your account with the Rose Theatre Kingston does not have a phone number attached then you will be asked to supply one. Only the main booker’s details and booking party size will be recorded for Test
and Trace purposes. The Government has asked organisations to do this in order to keep visitors and employees safe. This means that NHS Test and Trace will be able to quickly identify people who have come into contact with someone who has tested positive for COVID-19 and provide guidance on how to proceed. Rose Theatre Kingston will keep this information on your customer record for as long as it is required for potential use by the NHS Test and Trace service. If the information is requested by the NHS Test and Trace service then we will share it with them so they can use it for contact tracing and to investigate local outbreaks of COVID-19.