Privacy Policy

This statement outlines in plain language how we use your data, what data we hold on you and how we take measures to ensure the data we hold is kept securely and safely.

The Data Controller:

The data controller is Luton Carnival Arts Development Trust (ICO registration ZA506886) trading as The UK Centre for Carnival Arts (UKCCA) of 3 St Mary’s Road, Luton, Bedfordshire, LU1 3JA and can be contacted on email by data@carnivalarts.org.uk.

Legal Basis:

We use the following legal basis to collect and process your data:

  1. In your legitimate interest to provide an interactive website experience and to book and use our venue at your choice.

  2. Upon your express consent to contact you surrounding events and services provided by UKCCA.

  3. Upon your consent of entering the venue to have your image captured on CCTV for the purposes of health, safety and wellbeing management.

  4. To undertake elements of a contractual obligation should you hire our venue.

  5. Under a legal obligation should you become involved in any criminal or health and safety incident. Additionally, in the event that you become banned from using the venue.

Why We Process Data:

In summary, we use the data we hold and process to:

  1. To provide an interactive website that provides information that you’re most interested in and to use google analytics to monitor the engagement in communication mediums and website usage to improve the services and communications offered to students. To prevent this from happening please visit here.

  2. To facilitate any venue bookings that you may wish to make and related payment for venue hire, external suppliers and reimbursement of deposits for events.

  3. To ensure appropriate health and safety and security is in place and the recording of those who have been banned from the venues to ensure compliance with the licensing act and provide a safe experience for our users.

  4. To enlist the services of external specialists to facilitate events.

  5. To seek new and continued business.

  6. To ensure the appropriate record keeping of incidents, accidents and near misses.

What Data We Hold:

We receive all data directly from you and from no other third party sources. Typically we hold the following types of data based upon the following interactions:

Interaction: To facilitate venue bookings

Typical Data Held:

  • Contact name

  • Contact email address

  • Contact telephone number

  • Information required to facilitate the event

  • Signature

  • Charity commission registration numbers

Interaction: To ensure appropriate health and safety and security

Typical Data Held:

  • Public liability insurance certificates

  • Food hygiene certificates

  • Portable Appliance Testing (PAT) records

  • Security Industry Authority (SIA) badges

  • CCTV footage

Interaction: To facilitate the payment of venue hire, external suppliers and reimbursement of deposits for events

Typical Data Held:

  • Bank account details

  • Invoices

Interaction: To seek new and continued business

Typical Data Held:

  • Contact name

  • Contact email address

  • Contact telephone number

  • IP address

Interaction: To ensure the appropriate record keeping of incidents, accidents and near misses

Typical Data Held:

  • Contact Name

  • Contact email address

  • Contact telephone number

  • Details of the incident

Interaction: Recording of those who have been banned from the venues to ensure compliance with the licensing act and provide a safe experience for users

Typical Data Held:

  • Name

  • Copy of photographic identification

  • Reason for ban

Interaction: To produce marketing and promotional materials and impact reporting through the use of photos, films and quotes provided for publication

Typical Data Held:

  • Photos

  • Video footage

  • Quotes

The Use of Cookies:

Cookies are very small text files that are stored on your computer when you visit some websites. We use cookies to help identify your computer so we can tailor your user experience, track shopping basket contents and remember where you are in the order process. You can disable any cookies already stored on your computer, but these may stop our website from functioning properly. The following cookies are used on our website:

Cookie: _gat

Explanation: Used to limit the number of API requests to ensure website performance known as “throttle request rate”.

Retention: 1 minute

Cookie: _ga

Explanation: Used to distinguish and remember you as a website user.

Retention: 2 years

Cookie: _gid

Explanation: Used to distinguish and remember you as a website user.

Retention: 24 hours

Cookie: svSession

Explanation: Identifies unique visitors and tracks a visitor’s sessions on a site.

Retention: 2 years

Cookie: hs

Explanation: Used to ensure website security.

Retention: Until the user leaves the website

Cookie: __cfduid

Explanation: Used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

Retention: 11 months

Cookie: requestId

Explanation: Tracks visitor behaviour and measures site performance.

Retention: 1 minute

Cookie: XSRF-TOKEN

Explanation: Used to ensure website security.

Retention: Until the user leaves the website

If you don’t want to receive cookies, you can modify your browser so that it notifies you when cookies are sent to it or you can refuse cookies altogether. You can also delete cookies that have already been set.

If you wish to restrict or block web browser cookies which are set on your device then you can do this through your browser settings; the Help function within your browser should tell you how. Alternatively, you may wish to visit www.aboutcookies.org, which contains comprehensive information on how to do this on a wide variety of desktop browsers.

Access To Your Data:

UKCCA takes the security of your information very seriously.  Only authorised staff will have access to your data for the purposes specified in this privacy notice. We make sure that your data is only accessed for legitimate purposes by people who are facilitating your customer experience.

Additionally, UKCCA may share data with the following third parties and has undertaken due diligence to ensure such organisations have appropriate data protection policies and procedures, security arrangements in place and are compliant with data protection legalisation.

  • HMRC to ensure compliance with our reporting regulations.

  • Our external financial auditors.

  • The Charity Commission at their request.

  • The UK Government at their request.

  • The local licencing authority at their request.

  • The Police at their request.

  • Insurance provider at their request.

  • External suppliers required to deliver the event.

  • Peninsula.

Data Processors:

We use a range of data processors such as Sage to facilitate financial transactions. For all data processors, we enter into a data processing agreement on the terms that data can only be used to administer the task specified, upon our instruction and that all data will be destroyed following UKCCA ceasing to use the data processor. Additionally, we undertake due diligence on all data processors to ensure such organisations have appropriate data protection policies, procedures and security arrangements in place, and are compliant with data protection legislation.

Where The Data Is Held:

UKCCA ensures data is stored in secure databases and servers that adhere to industry standard security arrangements and are ideally located within the European Economic Area, following our data storage policy. Where UKCCA uses providers and servers located outside of the European Economic Area, it will ensure it meets the conditions under the General Data Protection Regulation (GDPR).

For the avoidance of doubt, UKCCA currently holds data related to venues in the following software providers/locations:

Photos and Filming:

UKCCA will clearly indicate in its event listing and terms and conditions of event entry where photos or filming will be taking place alongside the physical displaying of notices within the venue. Attendees at the event have the right to request not to be filmed or have a photo of them taken. Should any individual wish to request not having their photo taken or to be filmed they should make this intention aware to a member of UKCCA staff at the event and such requests will be implemented.

Any requests for an image or an inclusion in a video to be removed from either being stored or publicly posted on social media, website or any other form of media contact should be made by emailing data@carnivalarts.org.uk and the images will be removed within 72 hours of the request being made.

Any requests for an image to be removed from a printed publication should be made by emailing data@carnivalarts.org.uk and UKCCA will prevent further circulation of the publication and take steps that are practically possible to recall other copies of the publication already in circulation. Should any individual have any questions about the use of photos and filming they should contact us on data@carnivalarts.org.uk.

Retention Period:

The list below outlines how the long UKCCA retains each type of data, the justification for such a retention period.

Data Area: Venue bookings.

Retention: 24 months.

Justification: Reasonable period to settle any insurance claims, police investigations, ensure payment and report anonymous statistics to funding organisations.

Data Area: Health and safety (excluding CCTV).

Retention: 24 months.

Justification: Reasonable period to settle any insurance claims, police investigations and licencing authority requests.

CCTV without incident.

Data Area: CCTV without incident.

Retention: 28 days.

Justification: Reasonable period to settle any investigations and licencing authority requests.

Data Area: CCTV with incident.

Retention: Until the end of a police investigation and resulting processes.

Justification: To ensure compliance with legal obligations.

Data Area: Financial related data.

Retention: Maximum of five years.

Justification: To ensure the compliance with financial regulations.

Data Area: Seeking new and continued business.

Retention: Indefinite unless consent it withdrawn.

Justification: Actions undertaken on the basis of consent which can be withdrawn at any point.

Data Area: Appropriate record keeping of incidents, accidents and near misses.

Retention: 24 months.

Justification: Reasonable period to settle any insurance claims, police investigations, licencing authority requests, health and safety executive reporting.

Data Area: Venue ban records.

Retention: Until the ban is lifted.

Justification: To ensure compliance with license requirements and to ensure a safe environment for users.

Your Rights:

Under the General Data Protection Regulation, you have the following rights and can find more information on the Information Commissioner’s Office Website here:

  1. The right to be informed about what data is being held about you and how it is processed and managed, which has been clearly outlined within this privacy statement.

  2. The right of access to data that is held about you, and you can do this by contacting us on data@carnivalarts.org.uk.

  3. The right to rectification if the data that is held about you is inaccurate or incomplete, and you can request this to be undertaken by contacting us on data@carnivalarts.org.uk.

  4. The right to erasure of the data we hold upon you which is also known as the right to be forgotten. To request the right of erasure, please contact us on data@carnivalarts.org.uk.

  5. The right to restrict processing of the data we hold upon you. This means not deleting the data we hold upon you but placing a certain restriction or total restrictions on how we process it. To request the restricting of processing, please contact us on data@carnivalarts.org.uk.

  6. The right to data portability to receive the data we hold on you in an open source format such as in a CSV format. To request the data we hold in such a format, please contact us on data@carnivalarts.org.uk.

  7. The right to object to the way your data is being held, processed or managed, and you can do so by contacting us on data@carnivalarts.org.uk.

  8. Rights in relation to automated decision making and profiling which we have covered in more detail within this policy. Should you have any further questions or concerns in relation to this, please contact us on data@carnivalarts.org.uk.

Automated Decision Making:

Individuals have the right not to be subject to an automated, electronic decision when it is based on automated processing and it produces a legal effect or a similarly significant effect on the individual. In the event of UKCCA using automated decision making in the above manner we must ensure that individuals are able to obtain human intervention, express their point of view and obtain an explanation of the decision and challenge it. Should you be subject to this UKCCA will inform you in writing.

Complaints:

Should you have a complaint about the management of your data please contact us on data@carnivalarts.org.uk and we will investigate the matter. You have a right to also complain to the UK Regulator of Data Protection. You can make a complaint or raise a concern to the Information Commissioner’s Office online here.