The Painshill Park Trust is committed to protecting your personal information and to being transparent about the information we hold about you, as well as giving you control on how we use it. Using personal information allows us to develop a better understanding of our patrons, and in turn provides you with relevant and timely information about the work that we do.
The purpose of this policy is to give you a clear explanation about how we collect and process your personal information, including any data you may provide through our website and when you sign up to our newsletters, purchase an event ticket or make a donation.
WHO WE ARE
Painshill Park Trust Ltd. is the trading name of Painshill of Portsmouth Road, Cobham, Surrey KT11 1JE, a registered charity (284944) and a limited company registered in England (1587910).
Painshill is the ‘data controller’ of your personal information and is subject to the Data Protection Act 1998 (“DPA”) (and the General Data Protection Regulation (the “GDPR”)).
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
INFORMATION WE COLLECT ABOUT YOU
Personal information means any information about an individual from which that person can be identified.
We may collect the following type of personal data about you (and your family members, where relevant):
- Identity Data including First and Last Name, Title and Date of Birth.
- Contact data including email address(es), telephone numbers and postal address(es) and records of communications and interactions we have had with you.
- Financial data. This includes Direct Debit details (but not your payment card details, which we never collect or store ourselves since we always use a third party ‘payment gateway’ to process card payments).
- Profile Data including your purchase history, preference and feedback.
- Technical Data includes the internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.
- Usage Data includes information about how you use our website, products and services.
- Marketing data. When you visit our website, we collect information about how you interact with our content. When we send you a mailing we store a record of this and in the case of emails, we keep a record of which ones you have opened and which links you have clicked on.
- Marketing preferences. This includes your preferences in receiving marketing from us and our third parties and your communication preferences. This helps us to manage our relationship with you and ensures you only receive communications from us that are relevant and timely.
- Sensitive personal data. Data Protection law recognises that certain categories of personal information are more sensitive, such as health information, race, religious beliefs and political opinions. We do not collect this type of information about our patrons unless there is a clear reason for doing so. As an example, we may collect health information about children engaged with education visits in the landscape. We may collect limited data concerning your health or medical conditions, where you have volunteered this, for example, so that we can cater for you when you attend a Painshill event. We do not collect details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions or trade union membership. Nor do we collect any information about criminal convictions and offences.
HOW WE COLLECT THAT INFORMATION
We may collect, use, store and transfer your personal information in a few ways, namely:
- Directly from you, when you fill in an application for membership, when you make enquiries or buy a ticket on our website, or when you interact with us during your visit or time as a member, when you make a donation or update your preferences. We will store all the personal information you give us such as your name, email address, postal address, billing address and telephone number. We will also store a record of your tickets purchases and/or donations.
- From someone else who has bought a membership on your behalf (for example where they have bought Painshill membership for you as a gift and provided us with your contact details for that purpose);
On rare occasions, where we receive information about you from another member of Painshill (for example, where a Painshill member passes on your details to us in connection with a complaint or query you have raised when visiting Painshill).
- As you interact with our website, we may automatically collect certain technical information. This includes:
The internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
- Information from third parties. We occasionally receive information about you from third parties like Google Analytics and social media sites such as Facebook.
OUR LEGAL BASIS
There are three legal bases under which we may process your data:
- Contract purposes (a)
When you make a purchase from us or become a member, you are entering into a contract with the Painshill Park Trust. In order to perform this contract we need to process and store your data. For example, we may need to contact you by email or telephone in the case of the cancellation of an event, or in case of problems with your payment.
- Legitimate business interests (b)
In certain situations, we collect and process your personal data for purposes that are in our legitimate organisational interests. However we only do this if there is no overriding prejudice to you by using your personal information in this way. We describe below all situations where we may use this basis for processing.
- With your explicit consent (c)
For many situations we will ask for your explicit consent before using personal information.
- Comply with a Legal or Regulatory Obligation (d)
This means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
If you fail to provide personal information
Where we need to collect personal information by law, or under the terms of a contract we have with you and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with a ticket). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
Users under 18
Where we need to collect information on children, for example for education visits, holiday camps and activity events, we do so with the explicit consent from a parent or guardian.
We understand that people aged under 18 may use our website. If you are under 18, please ensure that you obtain your parent/guardian’s consent before hand whenever you provide personal information to us. To request to see our Safeguarding Policy, please contact us, using the contact details at the end of this policy.
HOW WE USE YOUR INFORMATION
We will only use your personal information when the law allows us to. We have set out below a description of all the ways we plan to use your personal data, with the legal bases (a,b,c described above) we rely on to do so.
- To enter you into a contract with Painshill (a)
When you purchase a membership or event ticket with Painshill and give us your personal data we will use that data to perform the contract, for example send you your membership card or communicate with you about an event you are attending.
- To process your request for support or an enquiry about our services (b)
When you fill in an enquiry online or call us with a question we will use your information to supply you with the information relevant.
- To manage our relationship with you (a)
As part of our service to you, we may contact you by telephone to provide essential information related to your purchase or visit. For example if an event is cancelled or we need to close on a day you have booked tickets.
- To deliver relevant advertising to you (c)
We aim to ensure that all our members get value for their membership by communicating to them often about the benefits of their membership, the work we do and the events they can attend. To do this, we will use the data stored about you, as such what events you have attended, when you became a member, and any contact preferences you may have told us.
If you purchase a gift membership the email address you provide along with the members’ email address will be stored. The membership communication will be applied to the members’ details.
As well as our members we aim to communicate with the general public about the work we do and the events we have on. We will always aim to do so in ways that are relevant, timely, respectful and never excessive.
We will only contact you by post or email if you have given us consent by opting in online or via a form, giving us verbal agreement, or emailing us your data.
In case of post you can opt out at any time by contacting us. In case of email we will then provide you with the option to unsubscribe in every email that we send you. Alternatively, you can use the contact details at the end of this policy to update your contact preferences.
- To administer and protect our business, this website & our software (d)
This including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data.
- For data analytics (b)
- We may analyse data we hold about you to ensure that the content and timing of communications that we send you are as relevant to you as possible and improve our services.
We use barcodes on our membership cards and email booking confirmations to collect information on your visits. This data includes the date that you have visited, your contact information and your membership number. We use this information to understand our patron’s visiting trends. We also use this information to make our communications to you more relevant.
We may also analyse data in order to identify and prevent fraud.
We will always keep your rights and interests at the forefront to ensure that they are not overridden by your own interests or fundamental rights and freedoms. You have the right to object to any of this processing at any time. If you wish to do this, please use the contact details at the end of this policy. Please bear in mind that if you do object, this may affect our ability to carry out tasks above that are for your benefit.
DISCLOSURE OF YOUR DETAILS TO THIRD PARTIES
There are certain circumstances under which we may disclose your personal information to third parties. These are as follows:
- To our service providers who process data on our behalf and on our instructions (for example our membership and booking system software provider, email distribution service and mailing houses). We require all third parties to respect the privacy of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
- Where we are under a duty to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies).
Ensuring the privacy and security of your personal information is very important to us. Painshill Park Trust will never sell your personal details to third parties for any purpose. We will never share, sell or rent your personal information to anyone in a way different from what is disclosed above unless ordered by a court of law. We maintain a variety of physical, electronic and procedural safeguards to protect your personal information. We will always refer to this policy and we’ll keep this page updated.
SECURITY OF YOUR PERSONAL DATA
We recognise that many people have concerns about providing personal information online and we work hard to ensure that your data is kept safely and securely at all times. Painshill Park Trust is committed to maintaining the privacy of our visitors, members and those who visit our websites. Painshill is the sole owner of the information collected on site & on the website or telephone. This information will not be sold or rented to others in ways different from what is disclosed in this statement. These are the measures that we take to secure your information whilst using our web-based services. We use encryption both when your information is moving to or from our web services and also whilst your information is held by us.
Our painshill.co.uk web pages use only a secure, encrypted https format (identifiable by the padlock in the address bar of your browser). This provides you with confidence that your communications are safe and carried out directly with an authentic Painshill web server. Our web servers use encryption and only store information for a temporary period. Once you have fully submitted your information, any temporary information is purged from our systems.
In order to process a new membership, renewal or gift membership, it is necessary for Painshill to gather the member’s and/or payor’s name, mailing address, phone, and credit card information or bank details for direct debit memberships. This data is used to verify identity and execute the financial transaction. If you choose to renew or purchase a membership online, you will have to provide your credit card billing information. As this information is collected and transferred over the Internet to our secure server, it is encrypted using Secure Socket Layer (SSL) technology, the industry standard security technology that is designed to protect sensitive information. The credit card or bank information that you provide at the time of renewal or purchase is used only to process your renewal or purchase and will not be stored in any way or used for any other purposes.
To ensure the security of personal data given to us via membership forms we keep them in a locked desk drawer. The forms are kept for 2 months, this allows us and our members a 60 day grace period to query their membership enrolment, or time for us to follow up if there are any problems with the processing of the application. After this period they are shredded for the protection of your data.
How Long Your Information Is Kept
We hold your information only as long as necessary for each purpose we use it. For most membership data, this means we retain it for so long as you have a valid Painshill membership and for a period of 5 years after your last interaction with us (for accounting, tax reporting and record – keeping purposes).
- Request access to your personal information
You have a right to request a copy of the personal information that we hold about you. Please use the contact details at the end of this policy if you would like to exercise this right or any of the rights listed below. If you are a European citizen and consider our use of your personal information to be unlawful, you have the right to lodge a complaint with the UK’s supervisory authority, i.e. the Information Commissioner’s Office.
- Request correction of your personal information
You have the right to request that we correct the personal information we hold about you, although we may need to verify the accuracy of the new information you provide to us.
- Request erasure of your personal information
You have the right to request that we delete or remove personal information where there is no good reason for us continuing to process it. Please note that we may not always be able to comply with your request for erasure if there are specific legal reasons which will be notified to you at the time of your request.
- Object to processing of your personal information
You have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing your personal information
You have the right to request that we suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request transfer of your personal information
You have the right to request that the personal information we hold about you is transferred to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Right to withdraw consent
In circumstances where we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
YOUR MARKETING PREFERENCES
Painshill will always act upon your wishes in respect of what type of communications you want to receive and how you want to receive them.
We will always try to keep your data as up-to-date as possible. If at any time, you want to update or amend your personal data or marketing preferences then you can do so by contacting our team on:
Telephone: +44 (0) 1932 868 113
Post: Data Protection Officer, Painshill Park Trust Ltd., Portsmouth Road, Cobham, Surrey KT11 1JE
CONTACT AND COMPLAINTS
Telephone: +44 (0) 1932 868 113
Post: Painshill Park Trust Ltd., Portsmouth Road, Cobham, Surrey KT11 1JE
If you are not satisfied with how we are processing your personal information, you can make a complaint to the Information Commissioner. You can find out more about your rights under applicable data protection legislation from the Information Commissioner’s Office website available at www.ico.org.uk.
If we make any significant changes in the way we treat your personal information, we will communicate such changes to our patrons and supporters where we have accurate contact details and where they would expect to receive communications from Painshill Park Trust.
RESTRICTIONS ON USE
This site is owned and operated by Painshill Park Trust Ltd. The information on this site is provided to assist you in planning your visit to Painshill, and it is for this purpose only that the site may be used. While we encourage you to print information which will help plan your visit, no photographs, images or other materials from our site may be copied, downloaded, transmitted, distributed or used in any other way, including for any commercial use. Also, you may not alter or attempt to alter any materials or information on the site, or the site itself.