Privacy Policy - West Bristol Arts Trail Clifton Redland Hotwells

Who we are

Definitions

Our website address is: https://westbristolartstrail.co.uk.

ArtsTrail refers to the West Bristol UK Arts Trail.

GDPR stands for the General Data Protection Regulation.

Responsible Person means the nominated member of staff or Trustee acting as the Data Protection Officer.

Register of Systems refers to a register of all systems or contexts in which personal data is processed by ArtsTrail.

1. Data Protection Principles

As a not-for-profit organisation, ArtsTrail is not registered with the Information Commissioner’s Office (ICO) under the permitted exemptions for organisations processing personal data. Nevertheless, ArtsTrail is committed to handling data in compliance with its obligations under the GDPR.

Article 5 of the GDPR mandates that personal data must:

Be processed lawfully, fairly, and transparently in relation to individuals;
Be collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research, or statistical purposes shall not be considered incompatible with the initial purposes;
Be adequate, relevant, and limited to what is necessary for the purposes for which they are processed;
Be accurate and, where necessary, kept up-to-date. Every reasonable effort must be made to ensure that inaccurate data, in relation to its purpose, is promptly erased or rectified;
Be retained in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Data may be stored for longer periods if processed solely for archiving in the public interest, scientific or historical research, or statistical purposes, provided appropriate technical and organisational measures are implemented to safeguard individuals’ rights and freedoms; and
Be processed in a manner ensuring appropriate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage, through appropriate technical or organisational measures.

2. General Provisions

This policy applies to all personal data processed by ArtsTrail.

The Responsible Person shall oversee ArtsTrail’s continued compliance with this policy.

This policy shall be reviewed at least every two years.

3. Lawful, Fair, and Transparent Processing

To ensure data is processed lawfully, fairly, and transparently, ArtsTrail shall maintain a Register of Systems, which will be reviewed annually.

Individuals have the right to access their personal data, and any requests to ArtsTrail shall be addressed promptly.

4. Lawful Purposes

All data processed by ArtsTrail must be based on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests.

ArtsTrail shall record the appropriate lawful basis in the Register of Systems.

When relying on consent as a lawful basis for processing, evidence of opt-in consent shall be stored with the personal data.

Communications sent based on consent shall provide individuals with a clear option to withdraw their consent, and systems must ensure such withdrawals are accurately reflected in ArtsTrail’s records.

5. Data Minimisation

ArtsTrail shall ensure that personal data are adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

6. Accuracy

ArtsTrail shall take reasonable steps to ensure the accuracy of personal data.

Where accuracy is necessary for the lawful basis of processing, systems shall be implemented to ensure data is kept up-to-date.

7. Archiving / Removal

To ensure personal data is not retained longer than necessary, ArtsTrail shall establish an archiving policy for each area where personal data is processed.

This policy shall specify what data should or must be retained, for how long, and the reasons for retention. The policy shall be reviewed annually.

8. Security

ArtsTrail shall ensure:

Personal data held electronically is stored securely using up-to-date software;
Personal data in paper form is stored securely;
Access to personal data is restricted to staff and volunteers requiring access, with appropriate safeguards against unauthorised sharing.

It is the responsibility of staff and the Responsible Person to ensure volunteers are informed of their GDPR obligations.

When deleting personal data, it shall be done securely to prevent recovery.

Appropriate back-up and disaster recovery solutions shall be maintained.

9. Breach

In the event of a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data, ArtsTrail shall promptly assess the risks to individuals’ rights and freedoms.

If necessary, ArtsTrail will report the breach to the ICO without delay.

END OF POLICY