Company Privacy Notice
For all staff, performing and production company and other freelance workers and applicants for all such positions
Glyndebourne commits to protecting your privacy. We will only use information about you in accordance with the Data Protection Act 2018 and other relevant legislation and regulations. Our Company Privacy Policy is set out below; please read it with care as it describes how we will process your data.
This Privacy Notice explains:
- what information we may collect about you;
- how we keep your information safe;
- what we may use your information for;
- who we may share your information with;
- your rights regarding the personal information you provide to us.
For the purposes of the Data Protection Act 2018, Glyndebourne Productions Ltd is the Data Controller. If you have any questions regarding the Privacy Notice or any data protection matter, please contact governance@glyndebourne.com or write to the Head of Risk & Compliance, Glyndebourne, Lewes, BN8 5UU (Data Protection Officer).
Generally, the lawful basis on which we process your information is the fulfilling of your employment (staff) or engagement contract (performing company and all other freelance workers) with Glyndebourne. However, Glyndebourne relies on several legal bases to use and process personal information about you, including that the processing is necessary for:
- Glyndebourne’s legitimate interests to establish and manage Glyndebourne’s relationship with you and for related functions including for personnel and administrative purposes, such as:
- Business processes such as maintaining organisational and statutory records, management analysis, audits, forecasts, planning, transactions, business continuity, diversity monitoring and labour risk prevention;
- The security of the workplace, assets, workers and the personal information of workers and customers, including monitoring, as described below;
- To inform business decision-making to protect the health of all who visit Glyndebourne, under Article 9 Section (2)(b) of the Data Protection Act 2018, whenever required to do so by Government regulation;
- Implementation of extraordinary operations, such as mergers and acquisitions, transfer of business or transfer of a branch of the organisation, and entering into joint venture agreements; and
- Programs and policies on training and development, job evaluation, rewards, planning, and organisation;
- The performance of employment and services contracts, including Human Resource administration, payroll and provision of benefits;
- Compliance with applicable laws and regulations and Glyndebourne’s legal obligations, such as accounting and tax requirements and in relation to staff insurance and pensions;
- For the purposes of carrying out the obligations and exercising rights under employment law;
- For the purposes of preventative or occupational medicine or to assess the working capacity of our workers;
- Establishing, exercising or defending legal claims; and
- Where applicable, on the basis of your consent (for example, enrolment in voluntary programmes or benefits at your direction), from which you may subsequently withdraw at any time by contacting our HR team, without affecting the lawfulness of processing based on consent before its withdrawal.
We will use your personal data only for the purposes for which it was collected, unless we reasonably consider that we need it for another purpose that is compatible with the original purpose and there is a legal basis for the further processing and where we have provided notice to you.
We comply with applicable data protection law. This means that when processing personal information for any purpose we must ensure it is:
- Used lawfully, fairly and in a transparent manner.
- Collected only for valid purposes that have been clearly explained and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up-to-date.
- Kept only as long as necessary for the purposes we have informed you about.
- Kept securely as detailed below.
We expect all staff to follow these privacy principles when processing personal data on our behalf.
When we collect personal data from you we store it under strict safekeeping and confidentiality measures. We use technical and organisational security measures to protect it against misuse and any external data processing services we use must meet our security policies. We hold your data on secure servers operated by Glyndebourne. All of your data is held on servers within the EEA.
We allow only those staff members who need to process your data to have access and prevent all other staff from seeing it. We meet the protection offered to you under the Data Protection Act 2018 and other applicable data protection laws.
We are committed to safeguarding children, young people and vulnerable adults and do all we can to ensure that all who work at Glyndebourne, whether on stage or joining a Learning & Engagement project, are safe and inspired by their experience. An important part of doing this is to protect their privacy.
If you are age 16 or under, please obtain your parent / guardian’s permission every time before you provide any personal information; we will always require their signature on any documentation when you sign up to a Glyndebourne project or are contracted to perform. We will always require the carer’s signature on similar documentation relating to vulnerable adults.
We will keep information which identifies you only if you are a job applicant, an employee or engaged by Glyndebourne. This information may be collected by Glyndebourne or its technology and systems when you use such technology and systems, and also, when lawful, from third parties in the course of our business activities, and this may take place prior to and during the work relationship. This personal information may include, but is not limited to: your application materials; offer letter; any subsequent contractual details; professional correspondence with or about you; salary and other compensation details; benefits forms; and personal reviews.
These documents may contain, amongst other information:
- your name, and any former names
- your home address, and former addresses
- phone number
- date of birth
- email address
- emergency contact details
- medical issues and medication
- bank account details
- Curriculum Vitae (CV)
- educational history
- NI number
- employment records such as notes from personal reviews and attendance records
- details about your health and your sickness absence record
- holiday records
- your contractual pay and any benefits or allowances
- performance ratings and disciplinary records
- trade union membership
- criminal convictions
- nationality, residency status, passport or visa number, right to work documentation
- marital status
- monitoring data such as gender, ethnicity, age, religion, disability
If you audition with us or are engaged as a performer, or if otherwise required for badge issuance or other security or compliance purposes, including footage from closed circuit televisions (CCTV), we may also hold:
- your image either as film or photograph
- your personal measurements for making costumes
We sometimes have to share your information with third parties to undertake business activities, including but not limited to external suppliers of HR benefits, professional advisers, insurers, service providers, public bodies, or a prospective employer.
For example, your personal information may be sent to the following categories of recipient for the following reasons:
- To external suppliers to administer your benefits on our behalf (e.g. providers of private health insurance or the Glyndebourne pension);
- To our professional advisers and insurers;
- To competent public corporations, government authorities, HMRC, NHS and law enforcement as may be required by law, including regarding tax, national insurance labour, social security, or similar matters;
- To our carefully selected service providers appointed from time to time to provide services related to our organisation and under contract to us. Those service providers will be carefully selected and bound by appropriate contractual protections (such as to use appropriate measures to protect the confidentiality and security of personal data), where required by applicable data protection law;
- To a prospective employer, for example in response to a reference request;
- Images and measurements for costumes may be sent to other arts organisations, on request.
- To external parties as required by law or legal process, or as otherwise authorised by you.
- To statutory and funding organisations.
- To Glyndebourne software providers.
- To external bodies responsible for carrying out DBS checks.
- For research and statistical analysis (provided anonymously).
And, only with your consent:
- your contact details may be shared with other arts organisations interested in seeking information about specialist artists or contacting performers.
We will hold your personal information only for as long as it is relevant to your working relationship with us or as long as necessary to comply with any legal obligation or to fulfil the above-listed purposes. After the end of your contract with Glyndebourne we will also keep the following types of records for:
Glyndebourne will at all times adhere to the Seven Key Principles of the Data Protection Act 2018. These are that data is:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
(g) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
We will take all reasonable steps to ensure that your personal information is kept up-to-date and accurate. From time to time we may ask you to review and update the personal information we hold. In order for us to keep your personal information up-to-date, you must also inform us of any changes to the personal information we hold about you such as your name, address, and contact details.
You have the right to ask for a copy of the personal information that we hold about you, to correct any inaccuracies in that information, object to the processing of such information or ask us to delete such records unless we are prevented from doing so by law, and also have the right to request that such information be ported (transferred) to another organisation or company. Human resources will be able to explain how to do this. We will provide you with a response in accordance with applicable data protection law. Glyndebourne may refuse to provide such information in limited circumstances under applicable law. If you would like to have a copy of this information, or have a privacy concern or question relating to this notice, for staff matters please contact HR@glyndebourne.com, for performing company matters please contact either your line manager or governance@glyndebourne.com.
You have the right to complain to the Information Commissioner’s Office if we have not been able to satisfactorily resolve a problem about our handling of your personal information.
This notice does not form part of your contract of employment and does not create contractual rights or obligations. The provisions of this notice may be altered by the Company from time to time. Any alteration or addition will be posted on the Company intranet or notified to staff in writing, by email or letter.
2018, this update July 2023