Privacy Policy

Data Protection & Privacy Policy

Updated 15/09/25

Who We Are

Moving Art Management is a dance producing company for the North East of England. We are a company limited by guarantee registered in England and Wales number: 09893099.

We specialise in bespoke producing services for artists and organisations, deliver scratch platforms and provide professional development opportunities for artist, financial bursaries, resources and mentoring.

Developing a better understanding of our customers, collaborators, partners and supporters through their personal data allows us to make better decisions about the work we make, create, and programme, fundraise more efficiently and, ultimately, helps us to reach our mission to champion creative excellence by producing and conceiving dance and cultural activities with a specific focus on innovative, inventive and intelligent work and ideas.

Our Data Promise

Moving Art Management Limited is committed to protecting your privacy and data. We will use the information that we collect about you in accordance with the General Data Protection Regulation 2018 and the Privacy and Electronic Communications Regulations 2003.

Moving Art Management (the data controller) needs to collect, store and use (data processing) information (personal data) about individuals (data subjects) in order to effectively deliver our organisational aims, commitments and legal obligations. Some of this data might be sensitive data for example about an individual’s ethnicity or religion (special category data). We may also need to pass on data to other organisations for specific purposes (data processors).

This may include information on our audiences, participants, staff or other organisations with whom we work. This policy sets out how we will do this in a way which ensures we comply with current data protection legislation and protects the rights and privacy of the individual.

Organisational Responsibilities

Under the General Data Protection Regulation (GDPR) 2018 we have a legal responsibility to ensure that data is processed lawfully, fairly and in a transparent manner in relation to individuals. We must ensure that personal data we hold is:

  • Collected for specific, clear and legitimate purposes and only used in the ways which were specified when the data was originally collected.

  • Relevant and limited only to the data that we need

  • Accurate as far as is reasonable and kept up to date where required

  • Only kept for as long as is necessary and securely destroyed afterwards

  • Processed securely

  • And that as an organisation we can demonstrate compliance with these principles.

Staff Responsibilities and Training

The lead members of staff for Data Protection are Rachel Jean Birch & Hannah Moreno (Directors), but all staff have a responsibility to ensure that the processes laid out in this policy are observed. All staff should read this policy carefully and raise any questions with the Data Protection lead to ensure they are clear on their responsibilities. To ensure an effective whole-organisation approach to data protection we will:

  • Provide a data protection briefing on induction and detailed training on any aspects relevant to a particular role for staff and trustees, for example within box office or marketing

  • Provide briefings to volunteers collecting or handling data, for example mailing list sign ups or evaluation forms

  • Provide whole staff training every two years

  • Keep up to date on legislation through the Data Protection lead and provide briefings when there are significant updates or changes to legislation

  • Include data protection on board agendas

Recording and Reviewing Data Processing and Compliance

We have carried out a data audit which will be reviewed annually. This details:

  • what personal data we process

  • why we process it

  • how we have communicated this information to the data subject

  • whether this is special category data

  • a confirmation that this is the minimum data required to complete the task

  • how the data is kept securely

  • how long the data is held for

  • how the data is checked for accuracy and kept up to date

  • any actions required Regarding reasons for processing, GDPR sets out 6 reasons why data may be processed. These are:

  • Consent (when a data subject gives consent)

  • Contract (in order to be able to deliver or enter in to a contract)

  • Legal obligation (where the law requires it)

  • Vital interests (to protect someone’s life)

  • Public task (to perform a task in the public interest or for official functions)

  • Legitimate interests (necessary for your legitimate interests unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests) Where consent is given the data audit will also record for that particular type of data:

  • how consent is given and where this is recorded

  • how people can as easily withdraw their consent, for example by unsubscribing After each review, individual staff members will then be briefed as to their responsibilities and the actions needed relating to different data.

In addition to the above, where we are collecting sensitive data, we must also meet one or more additional criteria to have a reason to process the data. Those that are relevant to our work include:

  • The individual whom the sensitive personal data is about has given explicit consent to the processing.

  • The processing is necessary so that you can comply with employment law.

  • The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.

We will also carry out an audit of third party processors which details:

  • the type of data shared

  • the reason for sharing it

  • how data is transferred securely

  • how we know the processor complies with data protection law

  • That the processor does not transfer data outside of the European Economic Area (EEA) and if so that their data protection is at least equal to that of companies inside the EEA (e.g. IOS Certificate or US Security Shield) and how data subjects are informed of this

  • any actions needed

GDPR compliance should be demonstrated through contracts with third party processors, for example specifying how data will be kept securely included in terms and conditions for mailing list software used or specific data protection clauses included in contracts with external payroll companies.

What Information Do We Collect?

You give us your information when you buy a ticket over for a performance or event managed by Moving Art Management, by phone, online or in person; by signing up for one of our other events or workshops; by updating your preferences by email or via out website Contact Us page; by making a donation; or by communicating with us. We also keep your details when you sign up to receive emails from us.

The information we hold about you may include: • Your name • Postal address • Telephone number • Email address • Ticketing history • Billing information • Donation history • Your preferences for how we communicate with you about our activities • Information that is available publicly • CV or artist biography • Medical information We keep a record of the emails we send you, and we may track whether you receive or open them so we can make sure we are sending you the most relevant information.

Actions and Compliance

The data audit details actions specific to individual types of data processing. The following actions for compliance underpin this but should not be seen as exhaustive. Staff should take responsibility for ensuring a data audit is carried out, with the support of the lead, when new forms of data are collected and new technologies are implemented.

How Do We Use Your Data?

Your data is used to select and inform you of relevant events or activities we think may be of interest to you, as well as opportunities to support our work. We use your data to: • Provide you with the show tickets or respond to information you have asked for • Contact you if there are any important changes to your booking • Administer your ticket sale or donation, including processing gift aid • Keep a record of your relationship with us • Ensure we know how you prefer to be contacted • Occasionally undertake customer research to help us understand how we can improve our services or information • Tell you about changes in our services or new services, events offers, and opportunities to support us that we think you’ll find of interest • Process call out application submissions for our events based on project criteria.

Marketing

  • ensure privacy policies are up to date and compliant

  • ensure mailing list sign up statements follow requirements for unambiguous, specific and, where possible, granular options e.g. choosing what they receive information on and by what methods- phone, email etc.

  • ensuring an audit is carried out for any third party processors used e.g. mailing software

  • ensuring the legal basis for direct marketing, either by legitimate interest or consent, is clearly established, recorded and appropriate actions taken

  • ensuring consent can be clearly given by an affirmative action and as easily withdrawn

Participation

  • ensure young people’s data is only processed with their guardian’s consent

  • ensure young people’s data is only shared on a need to know basis e.g. medical information with workshop tutors

  • ensure all freelancers, tutors and volunteers are briefed regarding their data protection responsibilities regardless of how short their contract is

  • ensure young people’s data is kept securely during practical sessions e.g. permission forms during a workshop

Box Office

  • ensure terms and conditions for box office use reflect current data protection legislation and are available to the customer

  • ensure mailing list sign up options include clear, compliant information being given to the customer regardless of ticketing method e.g. online, by phone or in person.

  • ensure third party ticketing systems are audited and compliant

  • ensure data sharing agreements with third parties e.g. touring companies, are effectively implemented with information being shared with customers at point of collection and an audit carried out

Operations

  • ensure website privacy policy and cookie policy is clear and compliant and online providers have been audited

  • ensure audits, staff training and briefings are carried out

  • ensure IT policies are in place and compliant and staff are briefed

  • ensure IT software and hardware is audited and offers sufficiently robust security

  • ensure procedures are in place for responding to data breaches, subject access requests, data portability and requests for the right to be forgotten and to support staff in responding to such requests

All staff

  • ensure data is updated as soon as inaccuracies are discovered e.g. if you receive an email bounce back

  • ensure unnecessary duplicates of data are not created e.g. multiple versions of a mailing list

  • ensure copies of personal data are not made on to personal computers

  • use strong passwords and password protect files and lock screens for computers that contain personal data

Storing Data Securely

The data audit will include an audit of how each type of data is secured. General practice should include:

  • use of locked filing cabinets or similar where data is stored on paper, memory sticks or other physical items

  • shredding of paper data that is no longer required

  • Computer log in passwords that are strong, not shared and changed regularly

  • restrictions on access levels and use of passwords where data is stored on a cloud based system or network

  • only using third party processors, which includes cloud based systems, where this has been audited and agreed

  • Not saving data to personal computers, mobile phones or similar devices. Where data held is special category data, this should be noted in the data audit and security measures interrogated to ensure they are sufficient.

Third parties

There are certain circumstances under which we may disclose your personal information to third parties. These are as follows: To our own service providers, partner venues or artistic collaborators who process data on our behalf and on our instructions, for example creating guest lists, or crediting images or programme notes. In these cases we require that these third parties comply strictly with our instructions and with data protection laws, for example around security of personal data.

Breaches

In the event of a security breach, the Data Protection lead must be informed immediately. Depending on the circumstances of the breach action will include:

  • completing an incident report

  • taking action to address the cause of the breach

  • taking action to minimise the damage that may be caused by this data not being kept securely - possible disciplinary action If the breach is likely to result in a risk to people’s rights and freedoms, for example discrimination, damage to reputation or financial loss, it is mandatory to report a personal data breach to the ICO within 72 hours. The Data Protection lead will make this report. If a member of staff realises that they have been processing data in a way not compatible with the data audit or with the way in which it was originally collected they must also inform the Data Protection lead as soon as possible so a plan of action can be agreed.

Individual Rights

Individuals can withdraw their consent to their data being processed at any time. They can also request to restrict processing e.g. that we can use their data to send them information about one type of activity but not another. They should also be able to quickly and easily request that the data we hold about them is updated and any corrections made.

In instances where consent was actively given and used as the legal basis for processing, it must be as easy to withdraw consent and this must be acted on immediately. Individuals also have the right to be forgotten e.g. all data held about them removed, and the right to data portability e.g. for us as an organisation to provide their data in a format which is then suitable to be transferred to another organisation or that we undertake that transfer for them.

If the data is being processed by any other purposes, for example, legal obligation, then we as an organisation may reject this request but this should be referred to the Data Protection lead. Individuals can also submit a subject access request, whereby we as an organisation would provide all of the data we hold on that individual. This must be done free of charge and within one month of the request. As an organisation we can extend the period of compliance by a further two months where requests are complex or numerous and we will inform the individual within one months of this and explain the reasons why.

If a request is excessive or clearly without relevant purpose, in particular where it involves repetitive tasks we can choose to charge a reasonable fee, proportionate to the administration incurred or refuse the request. In the event that a request is refused we will respond within one month to explain the reasons for this decision and inform the individual of their right to complain to a supervisory authority or take legal action.

The website (www.movingartmanagement.com) 

This website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. This website complies with all UK national laws and requirements for user privacy.

Cookies 

When visiting our website (movingartmanagement.com) we may collect information about your computer, including your IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers, partners and marketing software tools. This is statistical data about our users’ browsing actions and patterns and does not identify any individual.

For the same reason, we may obtain information about your general internet usage by using a cookie file. Cookies are small text files sent to your device (computer, tablet or mobile phone) by the website you are using. These are stored on your hard drive and can be retrieved by the original website on your next visit, or another website that recognises the cookie. Using cookies helps us to improve our site and deliver a better and more personalised service. They enable us: o - To estimate our audience size and usage pattern. o - To recognise you when you return to our site. o - To store information about your preferences, and so allow us to customise our site according to your individual interests. o - To speed up your searches. You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our site. Further information about controlling and deleting cookies can be found at www.AboutCookies.org.

Personal information 

Whilst using our website, software applications or services, you may be required to provide personal information (name, address, email, account details, etc.). We will use this information to administer our website, applications, client databases and marketing material. We will ensure that all personal information supplied is held securely in accordance with the General Data Protection Regulation (EU) 2016/679, as adopted into law of the United Kingdom in the Data Protection Act 2018. Further, by providing telephone, fax and email details, you consent to Moving Art Management contacting you using that method. You have the right at any time to request a copy of the personal information we hold on you. Should you wish to receive a copy of this, or would like to be removed from our database, please contact us at movingartmanagement@gmail.com.

How do we collect information?

Moving Art Management collects information in two possible ways: a. When you directly give it to us (“Directly Provided Data”) When you sign up for our site, purchase our products or communicate with us, you may choose to voluntarily give us certain information – for example, by filling in text boxes or completing registration forms. All this information requires a direct action by you at that time in order for us to receive it. b. When you give us permission to obtain from other accounts (“User Authorised Data”) Depending on your settings or the privacy policies for other online services, you may give us permission to obtain information from your account with those other services. For example, this can be via social media or by choosing to send us your location data when accessing our website from your smartphone.

How long do we keep your data for?

Moving Art Management will not retain your personal information longer than necessary. We will hold onto the information you provide as needed to be able to provide the Services to you, or for as long as is necessary to provide support-related reporting and trend analysis only.

If legally required or if it is reasonably necessary to meet regulatory requirements, resolve disputes, or prevent fraud and abuse, we may also retain some of your information for a limited period of time as required, even after you have closed your account or it is no longer needed to provide the Services to you.

Registration forms 

Moving Art Management will not sell or rent your personally identifiable information, gathered as a result of filling out the site registration form, to anyone.

Choosing how we use your data 

We understand that you trust us with your personal information and we are committed to ensuring you can manage the privacy and security of your personal information yourself.

With respect to the information relating to you that ends up in our possession, and recognising that it is your choice to provide us with your personally identifiable information, we commit to giving you the ability to do all of the following: • You can verify the details you have submitted to Moving Art Management by contacting our Data Protection team by emailing movingartmanagement@gmail.com. 

Our security procedures mean that we may request proof of identity before we reveal information, including your e-mail address and possibly your address. • You can also contact us by the same method to change, correct, or delete your personal information controlled by Moving Art Management regarding your profile at any time. Please note though that, if you have shared any information with others through social media channels, that information may remain visible, even if your account is deleted. • You are also free to request the removal of your details from Moving Art Managements database at any time by emailing movingartmanagement@gmail.com. 

However, we may retain archived copies of your information as required by law or for legitimate business purposes (including to help address fraud and spam). • You can always feel free to update us on your details at any point by emailing movingartmanagement@gmail.com. • You can unsubscribe from receiving marketing emails from us by replying with the subject line or main body text OPT OUT. Once you do this, you will no longer receive any emails from us. Please allow up to 7 days for this request to be activated. • You can request a readable copy of the personal data we hold on you at any time. To do this, please contact us by emailing movingartmanagement@gmail.com

Please note, we are constantly reviewing how we process and protect data. Therefore, changes to our policy may occur at any time. We will endeavour to publicise any changes.

Contact Us

Please contact us if you have any questions, or wish to be removed from any communications or data processing activities: Email us: movingartmanagement@gmail.com 

To find out more about GDPR please visit https://www.eugdpr.org/eugdpr.org.html

Information Commissioner - For independent advice about freedom of information, data protection, privacy and data-sharing issues, you can contact the Information Commissioner at: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 01625 545745 e-mail: mail@ico.gsi.gov.uk Website: http://www.informationcommissioner.gov.uk

www.movingartmanagement.com