Privacy Policy Updated!
Lily la Mer Ltd. UK company number 09396046
Registered company address: 22 Romany Rise, BR5 1HQ, UK.
Trading as “Diamond Rose Entertainment”
“Director” Either of the Directors of Lily la Mer Ltd.
(Francesca Dubery and Alexander Stevenson)
“The Company” Lily la Mer Ltd.
“We/us/our” Lily la Mer Ltd.
“Individual” Any individual natural person who has data held by Lily la Mer Ltd.
“this policy” This document, the Data Protection / Privacy Policy of Lily la Mer Ltd.
Data Protection in Lily la Mer Ltd.
Our intention is to protect the individuals whose data we hold: by making sure we hold only data that is necessary, by keeping their data secure, and by allowing them access to and control over their data.
This policy is designed to protect each individual’s:
-
Right to be informed
-
Right of access
-
Right to rectification
-
Right to erasure
-
Right to restrict processing
-
Right to data portability
-
Right to object
-
Right to not be subject to automated decision making and profiling
Data Protection compliance in Lily la Mer Ltd. is the shared responsibility of the two Directors, Francesca Dubery and Alexander Stevenson.
What data we hold and why
We hold data on the following five categories of individuals:
-
Sub Contractors
-
Clients and Enquiries
-
Agents
-
B2B Marketing
-
Erasure (see ROPA and Right to Erasure)
Details are in the Record of Processing Activity (ROPA) below.
We hold data only where it is necessary for the functioning of our business – acquiring, confirming, booking and managing entertainment contracts. We never have sold, and never will sell, data to any 3rd party.
Record of Processing Activity
Data set: Sub Contractors
Example individuals: Performers, Costumers, Photographers, Assistants
Legal basis for holding: Completion of Contract, Legal Obligation
Purpose: Event rosters, Invoices, Contracts. To allow us to contact our contractors for bookings & enquiries, and to maintain records related to finance and contracts.
Categories held: Name, Date of Birth (age), Email Address, Telephone Number, Address, Passport / ID scans (only if booking flights or if required for confidential site access), Company, Company Address, Company Registration Number, Public Liability Insurance Status, Public Liability Insurance Provider (sometimes this is a trade union, Equity) and Policy Number, Previous Correspondence, Invoices (with bank details and NI Number), Contracts, Work history (with us)
Where data is stored: Dropbox, Emails, Google Calendar
How it is processed: Contacting about bookings, rostering events, paying invoices, providing necessary details to clients
Is it shared: Yes, sometimes data will be shared with clients or other contractors where it is necessary for site access, insurance, on-site contact or other requirements for the completion of contracts. Invoices are shared with our accountant.
Envisaged time limits: Indefinite (as long as we are operating and/or legal requirements to data retention are active)
Where data came from: Directly from the Contractor
How long we’ve had it: Variable (earliest 2012)
If it is still relevant: Yes (removal of all except necessary legal records if a contractor leaves the team)
Data set: Clients and Enquiries
Example individuals: Show organisers, event organisers
Legal basis for holding: Performance of contract signed by subject, or to take pre-contract steps at the request of the subject
Purpose: To manage their booking and ensure their entertainment is correct for their needs
Categories held: Name, Email Address, Telephone Number, Address, Company, Company Address, Company Registration Number, Previous Correspondence, Invoices (with bank details), Contracts, Risk Assessments, Event Details, Previous engagement details, Number of Enquiries Made, Number of Shows Booked
Where data is stored: Dropbox, Emails, Google Calendar
How it is processed: Arranging bookings, writing contracts & invoices, risk assessment for events, credit control, calling to discuss event and/or when arriving on site, checking that a client is not contacting us directly when they have previously booked us through an agency
Is it shared: Yes, event details (location, timings) and contact details (name, phone number) are sometimes shared with contractors when necessary for performance of contract. Invoices are shared with our accountant. If a client does try to book us directly for an agency event, we need to give their name, company and event name to the agency to follow up.
Envisaged time limits: Indefinite (as long as we are operating and/or legal requirements to data retention are active)
Where data came from: From individual directly, website contact form, email, referral, or from original data as a B2B marketing individual
How long we’ve had it: Variable (earliest 2010)
If it is still relevant: Yes
Data set: Agents
Example individuals: Entertainment agencies, marketing agencies, event planners
Legal basis for holding: Legitimate Interest, Legal Obligation
Purpose: To manage bookings via intermediaries
Categories held: Name, Email Address, Telephone Number, Address, Company, Company Address, Company Registration Number, Previous Correspondence, Invoices (with company bank details), Contracts, Risk Assessments, Event Details, Previous Engagement details, Previous Enquiry details, Number of Enquiries Made, Number of Shows Booked
Where data is stored: Dropbox, Emails, Google Calendar, MailChimp
How it is processed: Used to answer enquiries, confirm and complete contracts, write and send invoices, credit control, keep their records updated about our acts and details (by direct email and by agency-specific mailing list), avoid client overlap
Is it shared: Yes, event details (location, timings) and contact details (name, phone number) are sometimes shared with contractors when necessary for performance of contract. Invoices are shared with our accountant.
Envisaged time limits: Indefinite (as long as we are operating and/or legal requirements to data retention are active)
Where data came from: Directly from the agent, online research, referral, business card, website referral form
How long we’ve had it: Variable (earliest 2010)
If it is still relevant: Yes (removed if agency closes)
Data set: B2B Marketing
Example individuals: Show organisers, event organisers
Legal basis for holding: Legitimate Interest
Purpose: Offering specific services for events
Categories held: Name, Company, Job Role, Email Address, Previous Correspondence, Events
Where data is stored: Dropbox, Emails, Google Calendar
How it is processed: Used to send specific marketing emails regarding entertainment services for their events.
Is it shared: No
Envisaged time limits: Indefinite (as long as we are operating and/or legal requirements to data retention are active)
Where data came from: Internet research, referral, business cards
How long we’ve had it: Variable – earliest from 2014
If it is still relevant: Yes (removal if their event/their company closes, removal if they leave relevant job role)
Data set: Erasure (see section: Right to Erasure)
Example individuals: Individuals who have specifically requested Erasure
Legal basis for holding: Consent
Purpose: To avoid accidentally re-contacting or marketing to an individual who has requested Erasure
Categories held: Name, Company
Where data is stored: Dropbox
How it is processed: Used to check a person has not previously requested Erasure when direct marketing to new individuals
Is it shared: No
Envisaged time limits: Indefinite (as long as we are operating)
Where data came from: Consent after an individual requests Erasure
How long we’ve had it: None yet collected
If it is still relevant: Yes (removal at any time they request)
NOTE ON CHILDREN: The only document directly relating to children would be photograph usage consent forms, which would be signed by parents and contain only the child’s name. It is possible that clients occasionally tell us a child’s name and age, for the purposes of knowing the birthday child at a party, which would be in emails from the parent. These emails are usually maintained as correspondence regarding the relevant contract.
B2B Marketing – Legitimate Interest
We hold information about some individuals for the purpose of B2B Marketing.
This is covered under recital 47 of GDPR: ”processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
B2B Marketing is the only truly efficient method of marketing for our specific service to the level that we work at (large-scale events, BIDs etc) and so the processing of this data is necessary to achieve the legitimate interests of our Company (that is: booking event performances, which is our primary source of income).
Collection of B2B marketing data will demonstrate legitimate interest as follows:
-
An individual must be in a position of being able to potentially book our services, for example being the organiser of a large event, an agent, a marketing company etc.
-
They should either already have an interest in booking entertainment (e.g. have booked it for previous similar events), or that our entertainment would demonstrably add to an event, promotional campaign etc that they are running
-
The service we wish to offer should be directly relevant to their needs (for example, offering flower stilt-walkers to flower shows, mermaids to aquariums etc)
-
Correspondence that we send will be directly relevant and customised to them
We will collect only data that is relevant to sending them individual, direct emails about services that may be useful to them – this will usually be their name, contact details, the company that they work for, the events that they organise, and data on when/how we have contacted them before. See ROPA for details.
As far as we are aware, this lawful basis is an alternative to consent and therefore would not require acquiring consent as well. If we discover that this is not the case, we will immediately review this section of the policy and request consent from B2B contacts.
Privacy Notice – Acquiring Consent
As you can see in our ROPA, we mainly process data for specific reasons under Legitimate Interest, Legal Obligation, and Performance of Contract. Where we collect data under the lawful basis of Consent, new individuals will be sent a separate email informing them about:
-
Who we are (Company name, number, address)
-
What information we intend to hold about them
-
The lawful basis / reason for holding their information
-
How we intend to use their information
-
Data retention periods for their data
-
If it will be shared with any 3rd party/s or outside the EU
-
Who in the Company they can talk to if they have questions, concerns or requests, and the contact details (email address, phone number) for that person
-
Where they can access a copy of this policy document
This email will be written in concise, clear and easy to understand language.
It will request their consent to the specific data detailed in the email, with a positive opt-in and clear, simple ways to withdraw.
It will also briefly summarise their rights as follows:
“You have the right to control of your personal data. This includes the right to revoke your consent at any time, the right to view your data and an overview of how it is being processed, the right to obtain a copy of your data, the right to erasure of your data under certain circumstances, the right to contest any decision based on algorithms (although we don’t make any decisions that way!), and the right to file complaints with a Data Protection Authority. You can talk to us at any time if you have questions, concerns or requests about your data. And if you are ever unhappy with how we are handling your data, you have the right to complain to the ICO. We hope it would never come to that though, because we are always happy to help!”
If they consent, their data will be added to our system. We will retain a copy of their email/consent for our records. They will be updated on any changes to our privacy policy, data processing, or to the details that we hold about them.
If they withdraw consent or do not reply, we will follow process for Right to Erasure.
Keeping data secure
We keep data secure in these ways:
-
Any electronic device that contains access to personal data is restricted to the Directors only, and all devices have password protection, firewalls and a remote wipe facility to ensure data is kept secure at all times
-
To the best of our knowledge, the systems we use all feature GDPR compliant encryption (Dropbox, Email by 123-reg, MailChimp, Xero and Google Calendar)
-
All our hardware systems are Apple Mac and have the ability to remote wipe all data in case of theft of a physical device.
We intend to further improve security by also directly encrypting our main Excel spreadsheets, contracts, contractor passport scans etc, with the decryption keys stored separately with the Directors. Once that process is complete, we will encrypt all current data immediately and encrypt all new data as soon as possible after collection.
In the event of a data breach:
Data breach of the type of data that we hold is unlikely to result in risk to the rights or freedoms of those concerned, as we have no data that would risk their personal freedoms or allow access to bank accounts, account log-ins etc. In the unlikely event that there was a high risk to an individual/s after a data breach, we would report it to ICO within 72 hours and inform the individual.
If a data breach of any kind is detected, we will immediately shut down all systems until we have contacted a professional to investigate. Systems will be kept offline until the potential breach is fully investigated and dealt with. If applicable, the ICO and any effected individuals will then be contacted with details of the breach, and we will review policy and protocol to make sure that the same type of breach could not occur in future.
Right of Access
Where an individual requests access to their data, or asks to know what data we hold about them, the following procedure applies:
-
Director identifies all data held and where it is held
-
Director opens relevant system/s, accesses individual’s data, copies data for only that individual to a Word document (or other commonly used electronic format) in a structure that is clear and easy to understand.
-
Director emails document to individual, along with a message explaining:
-
Our company details
-
What information we hold about them (categories of data)
-
Why we hold it (the lawful basis)
-
What we use their data for and how it is processed
-
Where we got their data
-
Any 3rd party who sees their data
-
Any other relevant information
-
Attachment: their data document
-
Attachment: this policy document
-
Asks if they have any questions, concerns or requests about their data
-
-
Director then immediately deletes their new data document (and email with document attached) so that data is once again only stored within the original secure system.
The process must be done as one task, so that there is no gap where there is an unsecured file. The task must be completed within 30 days of the request, however we would aim to complete within 10 days wherever possible.
All information will be written in clear, easy to understand language, in a commonly accessible format (usually email and Word) and provided free of charge.
If the individual has any questions, these will be answered to the best of our ability and where possible within 10 working days.
If the individual requests any change or erasure of their data, that will be processed as per the relevant section of this policy.
Right to Erasure
We retain personal data for both marketing and legal/regulatory reasons.
Where data is retained for marketing reasons, any request for erasure will be implemented in full and without question, with the following process:
-
Director identifies all data held and where it is held
-
Director fully removes data from all relevant systems
-
Individual is informed of the above result, and is asked if they would like to be included on the “Erasure” list to make sure that they are never accidentally re-contacted during future marketing activities
-
If they say yes, Name and company of individual is added to list “Erasure”, which is accessible only to Directors and is to prevent accidental re-marketing. That list is retained indefinitely, and the individual can ask to be removed at any time.
The task must be completed within 30 days of the request, however we would aim to complete within 10 days wherever possible.
Where data is retained that is linked to any legal/regulatory reasons (for example: contracts, invoices), any request will be handled in the following manner:
-
Director identifies all data held and where it is held
-
Director identifies and immediately fully removes any data that is very obviously not linked to a legal requirement
-
Director seeks legal advice on whether the legal requirement to retain remaining data (e.g. for financial records, or data included on contracts) outweighs the individual’s Right to Erasure.
As neither Director is legally qualified, we will seek further information and legal advice on a case-by-case basis if an individual requests Erasure that overlaps with legal records.
In order to complete Erasure within 30 days (if applicable), a Director will start the process of research and advice within 10 days of receiving the request for Erasure.
Right to Rectification
Where an individual requests change or rectification of their data, the following procedure applies:
-
Director identifies all data held and where it is held
-
Director opens relevant system/s, accesses individual’s data, and updates it as per individual request
-
Director emails individual, confirming the change/s that have been made and asking if they have any further questions, concerns or requests about their data.
The task must be completed within 30 days of the request, however we would aim to complete within 10 days wherever possible.
All communication will be written in clear, easy to understand language.
If the individual requests any access or erasure of their data, that will be processed as per the relevant section of this policy.
Right to Data Portability
Personal data that we collect through automated methods is:
-
Personal data entered into the contact form on our website, which will be sent to us as an email and be stored within our email inbox.
-
Personal data contained within emails (as content, signature or attachments) that are sent to us, which will be stored within our email inbox.
-
Subscriptions to a mailing list on MailChimp, which are stored only within the MailChimp system (name and email address only, legitimate interest)
In any case where we collect automated data, if an individual makes an access request for that data then the procedure is:
Director opens relevant system/s, accesses individual data, copies data for only that individual to a Word document (or other commonly used electronic format) in a structure that is clear and easy to understand, emails document to individual (as per Right to Access), then immediately deletes document so that data is once again only stored within the original secure system.
The process must be done as one task, so that there is no gap where there is an unsecured file. The task must be completed within 30 days of the request, however we would aim to complete within 7 days wherever possible.
Right to not be subject to automated decision making and profiling
We do not use profiling or automated decision making in any aspect of our business.
We do not use any algorithmic decision-making and so that will not need to be discussed in the Privacy Notice sent to new individuals about their data.
If we ever develop or implement new systems that involve profiling, algorithms or automated decision making, we will review these under GDPR before implementing them.