In order to perform some of our day to day operations, personal data is sometimes securely transferred to and subsequently processed by external companies. Where external companies process your personal data (e.g. postal and email addresses, to send out brochures or emails on our behalf), we ensure that the data is encrypted where appropriate and that proper controls are in place regarding how those companies manage the personal data they collect or have access to.
If one of these companies runs their operations outside the European Economic Area (EEA), although they may not be subject to same data protection laws as a company based in the UK, we take steps to make sure they provide an adequate level of protection in accordance with UK data protection law by requesting and checking their data policies and associated documents and specific legislation and checking for an adequacy decision between the EEA and that company’s country of origin.
For example, our marketing emails are dispatched by a company in the US. That company has provided documentation to prove that they are compliant with the data protection framework built to cover data sharing between the EU and the US (called the EU-US Privacy Shield). An adequacy decision is in place for the EU-US Privacy Shield, so that company is recognised by applicable legislation as providing adequate protection for your data.
In order to comply with the terms of our Arts Council funding agreement, our attendance data is securely transferred to an aggregator called the Audience Agency, where the data is anonymised and pooled with other public-funded organisations for reporting and analysis purposes.
Disclosure and Barring Service (DBS)
When working with musicians and partners who are not on the DBS update service (https://secure.crbonline.gov.uk/crsc/check), we will transfer data to a third party, currently Atlantic Data, so that the required checks can be performed.
Atlantic Data’s privacy and security policy can be found here: https://policydocuments.disclosures.co.uk/Privacy_Statement.pdf
We may need to pass your details, if required, to the police, regulatory bodies or legal advisors.
Contact information of ticket buyers may be shared with the NHS Test and Trace service if it is requested.
Arts Council National Portfolio Organisations
We have data sharing agreements in place with some Arts Council England National Portfolio Organisations. These agreements set out our expectations and requirements regarding how they manage the personal data we share with them. If you buy seats for a concert presented by or featuring an Arts Council England National Portfolio Organisation, and you give your consent at the time of booking for us to share your contact data with that National Portfolio Organisation, your data will be securely made available to them, including any updates made to your data and contact preferences in our systems. Each organisation will contact you separately to explain their own data protection processes and privacy policies before they send you any direct marketing.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
Sharing with our partners
In order to properly manage the care of individuals participating in projects and events, it is sometimes necessary to share data classed as ‘Special Category’ under the UK Data Protection Act 2018 with professionals or organisations delivering the projects on behalf of or in partnership with Wigmore Hall. In these cases, we will always ensure that consent is in place before sharing.
Sharing is done using secure means, and we ensure that everyone with whom we share data for these purposes has signed a data sharing agreement, which sets out the method of sharing and the rules for retention, rectification and erasure of data and includes a blank copy of the consent agreement signed by the individuals.
We will only ever share your data in other circumstances if we have your explicit and informed consent