Your privacy and security is important to The Criterion Theatre Trust. This Privacy Notice sets out how we look after your personal data, details of your privacy rights and how data protection laws protect you.
1. Background to this Privacy Notice
1.1 The Criterion Theatre Trust is the data controller in respect of the personal data processed when you visit our website at www.criterion-theatre.co.uk ("website") or our theatre at 218-223 Piccadilly, St. James's, London W1V 9LB ("Theatre"). If you have any questions or concerns in relation to this Privacy Notice you can contact our Managing Director at [email protected] or by writing to the Managing Director, The Criterion Theatre Trust, 2 Jermyn Street, London SW1Y 4XA.
1.2 Please note that we may need to update this Privacy Notice from time to time. We recommend that you check this page regularly to ensure that you have read and that you understand how we process your data. This Privacy Notice was last updated in May 2018.
1.3 This Privacy Notice relates only to the data we process about you. If you follow a link from our website to a third-party website, this Privacy Notice will not apply. We are not responsible for, and we cannot control, any third-party websites, plug-ins or applications which may allow third parties to collect or share your personal data.
2. What information we may collect and how we use it
2.1 Where we refer to personal data or personal information, we mean any information about an individual from which that person can be identified. This does not include data where the individual's identity has been removed.
2.2 We may collect, use, store and transfer different kinds of personal data about you which we group as follows:
Types of personal data
| Category |
Examples / Notes |
| Identity Data |
Name, marital status, title, date of birth, gender, username and password, images (via our CCTV system), purchases made by you, your interests and preferences, feedback and survey responses |
| Contact Data |
Billing address, delivery address, email address and telephone numbers |
| Financial Data |
Bank account and payment card details |
| Transaction Data |
Details about payments to and from you and other details of products and services you have purchased from us |
| Technical Data |
Internet protocol address, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, identification number, online identifier, location data and other similar identifying information required for your device(s) to communicate with websites and applications on the internet |
| Usage Data |
How you use our website products and services, the full URLs clickstream to, through and from our site (including date and time), download errors, lengths of visit to certain pages, page interaction information, methods to browse away from the page and any phone numbers you use to call us |
| Marketing and Communications Data |
Your preferences in receiving marketing from us and our third parties and your communication preferences |
| Health Data |
Details of any medical or health requirements you have, and accidents or injuries that occur in or around our Theatre which may include information about your medical history |
2.3 It is important that the personal data we hold about you is accurate and up to date. Please let us know if your personal data changes during your relationship with us. You can ask us to rectify or update your personal information at any time by using the contact details provided in this Privacy Notice.
3. How we collect your personal data
3.1 We collect your personal data through a number of sources.
3.2 You may give us your personal data directly by:
- registering to receive a newsletter on our website;
- making a booking or purchasing merchandise;
- creating an account with us;
- contacting us with an enquiry;
- forwarding an item to another email address;
- completing a survey which contains your personal information;
- entering a competition; or
- reporting a problem.
3.3 We may also get personal data about you from third parties, for example:
- Technical Data from analytics providers such as Google based outside of the EU;
- Identity and Contact Data from publicly available sources, such as Companies House.
4. How we use your personal data
4.1 We summarise the ways that we may use your personal data, and the legal bases for which we use your personal data, in the table below. We may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your personal data.
4.2 We will only use your personal data for the purposes for which we have collected it. If we need to use your personal data for a different purpose that is not compatible with the original purpose that we collected it, we will let you know. We may process your personal data for a different purpose and without your consent where it is necessary for us to comply with our legal obligations.
Purposes, types of data and lawful bases
| Purpose / Activity |
Type of Data |
Lawful basis for processing (including basis of legitimate interest) |
| To carry out our obligations arising from the contract entered into between you and us when you purchase tickets for our Theatre shows, any other goods or services from us, and to provide with you the information, products and services you request from us |
Identity, Contact, Financial, Transaction and Marketing and Communications |
Performance of a contract with you. Necessary for our legitimate interests (for running our Theatre). |
| To contact you |
Identity, Contact, Financial, Transaction and Marketing and Communications |
Performance of a contract with you. Necessary for our legitimate interests (for running our Theatre, to keep our records updated and to study how customers use our products/services). |
| To notify you about changes to performances at our Theatre or our goods or services generally |
Identity and Contact |
Performance of a contract with you. Necessary to comply with our legal obligations. Necessary for our legitimate interests (for running our Theatre). |
| To ensure all visitors' safety, security and well-being at our Theatre |
Identity, Contact and Health Data |
Necessary to comply with our legal obligations. Necessary for our legitimate interests (for insurance claims purposes and for running our Theatre). In relation to Health Data, this is a special category of data and so we only process it with your explicit consent. |
| To provide customer support |
Identity and Contact |
Performance of a contract with you. Necessary to comply with our legal obligations. |
| To assist us in the improvement and optimisation of advertising, marketing material and content, our services and our website |
Identity, Contact, Financial, Transaction and Marketing and Communications |
Necessary for our legitimate interests (to develop our products/services and grow our business and for the provision of administration and IT services). |
| To provide you with information about other goods and services that we offer which we believe may interest you |
Identity, Contact, Technical and Usage |
Necessary for our legitimate interests (to develop our products/services and grow our business). |
| As part of our efforts to keep our website safe and secure and to prevent or detect fraud |
Identity, Contact, Financial and Transaction |
Necessary to comply with our legal obligations. Necessary for our legitimate interests (for running our Theatre, provision of administration and IT services, network security and to prevent fraud). |
| To comply with requirements imposed by law or any court order |
Identity, Contact, Technical and Usage |
Necessary to comply with our legal obligations. |
4.3 If you have any questions about the purposes for which we collect data, what data is collected or the lawful bases for which we use your personal data, please contact our Managing Director using the details above.
5. Sharing your personal data with third parties
5.1 We may share your personal data with the following third parties for the purposes set out in the table above:
- Spektrix Ltd (based in England) who provide our ticketing software and support services;
- Quay Tickets (a trading division of The Lowry Centre Ltd) (based in England) who help us to facilitate ticket sales;
- WorldPay (UK) Ltd (based in England) who process your payments on our behalf;
- Society of London Theatre (based in England) who may help us to prevent and detect crime and fraud.
5.2 We require all of the above third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow these third parties to use your personal data for their own purposes; they can only use your personal data in accordance with our specific instructions.
5.3 We may share your personal data with third parties to whom we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal data in the same way as set out in this Privacy Notice.
5.4 We may need to share your personal data with law enforcement authorities or regulatory bodies for the purpose of the prevention or detection of crime, or in relation to your health and well-being.
6. International transfers of your personal data
6.1 Your personal data is stored on our secure servers based inside the European Economic Area ("EEA"). We do not transfer your personal data outside of the EEA, except to a country where your personal data is offered the same level of protection.
7. Timescales for the storage of your personal data
7.1 Under data protection laws, we cannot retain your personal data in a form that identifies you for longer than is necessary to fulfil the purposes for which we collected it. This may include for the purposes of satisfying any legal, accounting or reporting requirements.
7.2 We usually store personal data for 7 years, but there may be occasions where we need to store it for longer or shorter periods. In order to determine how long we store your personal data for, we take into consideration why we need to continue to store your personal data, whether we can achieve the same result without having access to your data, and what the potential risk is if there is a data breach that affects your data.
7.3 Occasionally we may anonymise data which means that it is no longer associated with you. We do this for statistical or research purposes, so we can improve the services we offer to you. We can use anonymous data indefinitely without further notice to you.
8. Keeping your data secure
8.1 We understand the importance of keeping your data secure. We take all reasonably necessary steps to ensure that your data is treated securely, in accordance with this policy, in order to prevent your data being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
9. Other processing activities
Marketing
9.1 You may from time to time receive marketing emails from us to promote or advertise performances, events and other goods and services we offer that we believe may be of interest to you. You may receive these marketing emails if you have requested this information from us, or if you have made a booking or purchased any other goods or services through us.
9.2 We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.
9.3 If you are receiving marketing emails from us but you want us to stop sending them, you can opt-out at any time using one of the following methods:
- By post: The Managing Director, Criterion Theatre, 2 Jermyn Street, London SW1Y 4XA
- By email: [email protected]
- By telephone: 020 7839 8811
- By logging into your account on our website and updating your marketing preferences
Consent to the use of cookies
9.4 For our website to function properly we use cookies. To obtain your valid consent for the use and storage of cookies in the browser you use to access our website and to properly document this we use a consent management platform: CookieFirst. This technology is provided by Digital Data Solutions BV, Plantage Middenlaan 42a, 1018 DH, Amsterdam, The Netherlands. Website: https://cookiefirst.com referred to as CookieFirst.
When you access our website, a connection is established with CookieFirst’s server to give us the possibility to obtain valid consent from you to the use of certain cookies. CookieFirst then stores a cookie in your browser in order to be able to activate only those cookies to which you have consented and to properly document this. The data processed is stored until the predefined storage period expires or you request to delete the data. Certain mandatory legal storage periods may apply notwithstanding the aforementioned.
CookieFirst is used to obtain the legally required consent for the use of cookies. The legal basis for this is article 6(1)(c) of the General Data Protection Regulation (GDPR).
Data processing agreement
We have concluded a data processing agreement with CookieFirst. This is a contract required by data protection law, which ensures that data of our website visitors is only processed in accordance with our instructions and in compliance with the GDPR.
Server log files
Our website and CookieFirst automatically collect and store information in so-called server log files, which your browser automatically transmits to us. The following data is collected:
-Your consent status or the withdrawal of consent
-Your anonymised IP address
-Information about your Browser
-Information about your Device
-The date and time you have visited our website
-The webpage url where you saved or updated your consent preferences
-The approximate location of the user that saved their consent preference
-A universally unique identifier (UUID) of the website visitor that clicked the cookie banner
Aggregated Data
9.6 Sometimes we collect research or statistical data about you and our other customers, for example we may collect data about your browsing actions and patterns through our website cookies to measure interest in the various areas of our website and to inform advertisers as to how many visitors have "clicked" on their advertising banner. This is not usually classified as personal data as whilst it derives from your personal data it does not identify you. This is called Aggregated Data.
9.7 If we ever link this Aggregated Data to your personal information, it will be treated as personal data in accordance with this Privacy Notice.
Consent
9.8 We do not usually rely on consent in order to process personal data. If we do obtain your consent for a particular purpose you can withdraw your consent at any time by contacting us using one of the methods set out above.
Children
9.9 This website is not intended for children. However, there may be occasions where children visit our Theatre and we need to process personal data about them, for example if they have any access requirements or require medical attention.
9.10 Children have the same rights as adults over their personal data, and this Privacy Notice applies equally to the processing of children's data as it does to the processing of adult's data.
9.11 We use CCTV at our Theatre to help us maintain a safe and secure environment for our staff and our visitors. If you would like a copy of our CCTV Policy please contact our Managing Director using the details as above or [email protected].
10. Your legal rights, complaints and feedback
10.1 Under data protection laws you have the right to protect and look after your personal data. You have the right to:
- ask us for the personal data that we hold and process about you (data subject access request);
- prevent the use of your personal data for marketing purposes (note: even if you refuse marketing communications, we may still contact you to discuss the goods or services you have asked us to provide to you or to tell you about changes to our terms and conditions);
- ask that any inaccurate information we hold about you is corrected;
- ask that we delete the personal data we hold about you in certain situations;
- ask that we stop using your personal data for certain purposes;
- ask that we do not make decisions about you using completely automated means; and/or
- ask that personal data we hold about you is given to you, or where technically feasible a third party chosen by you, in a commonly used, machine-readable format.
10.2 The rights listed above may apply in certain circumstances, and so we may not always be able to comply with your request to exercise these rights.
10.3 We will usually respond to a request from you to exercise your rights within 1 month of receipt, but it might take longer if your request is particularly complex or if you have made a number of requests. Please be aware that we may need to process your personal data and/or request specific information from you to help us comply with your request.
10.4 You will not usually have to pay a fee to exercise these rights, but we reserve the right to charge a fee if your request is clearly unfounded, repetitive or excessive; alternatively we may refuse to comply with your request.
11. Complaints and feedback
11.1 If you would like to speak to us about how we handle your personal data, please contact The Managing Director in the first instance at [email protected] or by post The Managing Director, The Criterion Theatre Trust, 2 Jermyn Street, London SW1Y 4XA. You can also complain to the Information Commissioner's Office who is the UK supervisory authority for data protection issues.