Gigs and Tours commits to protecting the data provided by its clients, subscribers, employees and other natural persons.
The purpose of this document is to:
- Establish procedures to regulate the management of these personal data
- To demonstrate the commitment of Gigs and Tours with regards to the protection of personal data
- To limit the risk of data breach
- To comply with the applicable laws and regulations (in particular, the Data Protection Act and the GDPR)
This policy is to be updated at least once per year by Alex Spencer, Senior Project Manager.
1. Definition and principles of data protection
|Personal Data||Any information relating to an identified or identifiable natural person, whether directly or indirectly|
|Special categories of data||Data which reveals the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation of a natural person|
|Data subject||A natural person, identified or identifiable by the personal data|
|Processing||Any operation or set of operations which is performed, whether or not by automated means, and applied to personal data or sets of personal data (such as collection, recording, storage, modification, consultation, disclosure, reconciliation, erasure or destruction, etc.)|
|Data controller||The natural or legal person, public authority, service or other organism which, alone or jointly, determines the means and the purposes of processing|
|Data processor||The natural or legal person, public authority, service or other organism which processes personal data, whether or not they are a third party|
|Recipient||The natural or legal person, public authority, service or other organism to whom personal data are disclosed, whether or not they are a third party|
|Third party||A natural or legal person, public authority, service or other organism other than the data subject, data controller, data processor or those authorised to process the personal data|
|Consent||Any freely given, specific and informed manifestation by which the data subject accepts, by a declaration or by clear positive action, that the personal data be processed|
|Personal data breach||A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data transmitted, stored or otherwise processed, including unauthorised access to the data|
|Supervisory authority||An independent public body established by a Member State pursuant to article 51 of the GDPR|
1.2. Data protection principles
|Fair, lawful and transparent processing||Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.|
|Purpose limitation principle||Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.|
|Data minimisation||Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.|
|Accuracy||Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.|
|Data retention periods||Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.|
|Data Security||Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.|
|Accountability||The controller is responsible for, and must be able to demonstrate, compliance with the Data Protection Principles.|
2. Roles & Responsibilities
Governance of the entity in relation to data protection and responsibility is down to the Data Protection Officer:
He can be contacted for matters on Data Protection via https://www.gigsandtours.com/customerservice
For all customer service enquiries on your ticket orders please refer to: https://www.gigsandtours.com/customerservice
3. Compliance tools
Record of data processing activities - Gigs and Tours maintains an up-to-date record of their data processing activities in accordance with article 30 of the GDPR. This record must be made available to the supervisory authority on demand.
PIA - Where a type of processing, in particular the use of emerging technologies, and in view of the nature, scope, and context of the purpose(s) of processing, is apt to cause a heightened risk to the rights and freedoms of natural persons, Gigs and Tours carries out, before processing, an analysis of the expected impact of processing on the personal data. A PIA model has been formalised in Excel format.
4. Third party management
As data controller
For all processing involving third-party data processors, Gigs and Tours implements contracts with the processors including, at the minimum, the requirements stated in article 28 of the GDPR as well as instructions to be followed by the processor, a breach notification clause, an audit clause, a responsibility clause, and provisions which the processor must follow at the end of the contract.
As data processor
Where Gigs and Tours is the processor, it acts only on the predefined instructions of the data controller
- Verify that the instructions do not constitute a violation of the applicable laws and regulations
- Retain a copy of the instructions
If Gigs and Tours recruits a processor, they must implement a binding contract between themselves and the data processor.
Gigs and Tours implements the necessary processes as required by the law and by the applicable regulations, including the record of data processing activities.
Proof of Concept (POC)
The "Proof of Concept" tests are also to be regulated by a legal act, to reinforce at least the instructions and measures to be taken if the POC does not proceed (in particular, the data exchange procedures and data destruction procedures if the POC does not proceed).
5. Rights of data subjects
The data subjects have certain rights concerning their personal data:
- The right of access
- The right of rectification
- The right to erasure (the "right to be forgotten")
- The right to restrict processing
- The right of data portability
- The right to object to processing
- The right not to be evaluated on the basis of automated processing.
Gigs and Tours has implemented a procedure for the management of data subject requests (including the exercise of their rights. This procedure is below:
Step 1: Customer invokes a Subject Access Request
Step 2: The customer is sent a link to the customer portal where they will be able to login and automatically:
- view their data;
- download their data;
- rectify their data;
- modify their preferences;
- request restriction of processing and;
- request deletion of their data.
Step 3: If a customer edits their data or modifies their preferences this will be actioned immediately. Deletion and restriction of processing requests will be handled in accordance with the circumstances within 1 month.
Step 4: The Data Subject will be able to view changes made within the portal within the time frame specified when making the request
6. Personal Data
Underage persons - The legal age of majority relative to the GDPR is fixed at 16 years of age. The regulation makes the provision, however, for each country to lower this age of consent to a minimum of 13 years.
There are special provisions for the processing of personal data relating to minors, notably regarding consent.
Lawful basis - In order to be able to process personal data it is necessary to identify the associated lawful basis for processing. Gigs and Tours can rely on 4 lawful bases:
- Consent of the data subject
- Fulfilment of a contract to which the data subject is party, or the execution of pre-contractual measures
- Compliance with a legal obligation
- Legitimate interest of the data controller
The other two legal bases described in the GDPR are not applicable to Gigs and Tours.
Consent - A specific procedure has been formalised for the management of consent to process a subjects data for marketing purposes. This procedure is in the form of ticking a consent box on the checkout page. Please note that recipients will only ever receive marketing material in email form from Gigs and Tours or See Tickets (who manage this website).
Data minimisation - At the point of data collection, Gigs and Tours collects only the data strictly necessary to meet the purpose(s) of processing. In the event of any change in processing, Gigs and Tours verifies that the data collected are still relevant to the updated process.
Free-form data entry - The use of free-form data fields carries privacy risks, as these fields (typically notes or comments) may contain inappropriate comments or personal data.
Media - There are different media used in processing (and therefore different storage locations for the personal data processed). It is essential to identify them all to protect the data correctly and to limit the risk of personal data breaches.
Data confidentiality - The generally applicable rules of confidentiality must also be followed with regards to personal data. The access to personal data must on a "need to know" basis, combined with application access management. The paper documents containing sensitive personal data must be kept in locked cupboards.
Non-production environments - Whether the data are in the production or pre-production environment, they must be protected in the same way as the risk to the data subjects is the same in the event of a breach, whatever the source. Where possible, it is preferable to avoid storing personal data in pre-production environments; if possible, they should be kept in anonymised databases.
Recipients - Any natural or legal person with access to personal data is considered a recipient (whether they are internal or external to the organisation acting as data controller). Gigs and Tours shares personal data only with the recipients necessary to fulfil the stated purpose(s) of processing.
International transfers - Any transfer of personal data which are undergoing or are intended for processing after transfer to a third country or to an international organisation shall take place only if appropriate safeguards are in place, or if other specific exceptions apply. The rules governing data transfers are applicable to internal transfers within Vivendi as well as to external transfers.
Retention period - Gigs and Tours has defined the retention periods for each category of personal data, according to the purposes of processing. Gigs and Tours retains your data for 15 years.
Archiving personal data - Once the data are no longer processed in production, they are archived for the duration of the retention period. The access to these archives is limited, and supplementary security measures are in place to protect the archived data.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity, for the rights and freedoms of natural persons, Gigs and Tours and the processor(s) shall implement appropriate measures to ensure a level of security that is adapted to the risk. There are different categories of security measures that can be taken to protect the personal data:
Physical security measures - There can be physical security measures, such as physical access controls, the use of specific materials, measures against risks connected to water, fire, etc.
Logical security measures - To protect the data found in information systems, there are logical security measures such as encryption, pseudonymisation, traceability, logical access controls, settings, dedicated networks, etc.
Organisational measures - Organisational measures must also be put in place, such as appropriate governance, policies and procedures, a project methodology, monitoring via reports and dashboards, etc.
Logs - It is important to keep logs in order to remain informed of any changes or developments, and to carry out inspections to verify that the security measures in place are working well.
8. Training and Awareness
Training for key individuals - Gigs and Tours has identified the individuals who, in the context of their professional activity, are required to process a large quantity of personal data, or special categories of personal data (as set out in article 9 of the GDPR). These individuals are trained by the DPO.
Awareness for all employees - Gigs and Tours deploys an annual awareness campaign to remind all employees of the rules and principles of personal data protection.
Point of contact - Gigs and Tours has designated a point of contact to answer employees' questions regarding the protection of personal data: Michael Dixon, Data Protection Officer.
9. Controls and incident management
Controls - Gigs and Tours has implemented controls to ensure that regulatory obligations regarding data protection are followed. The controls must be documented, and the results logged.
Notification in the event of a personal data breach - In the event of a personal data breach, Gigs and Tours assesses the risk for the data subjects and, if there is a risk, notifies the competent supervisory authority within 72 hours. If the risk assessment indicates a high risk for the data subjects, Gigs and Tours communicates the breach of personal data to the data subjects. A specific procedure concerning the management of security incidents has been formalised.
Breach monitoring and documentation - Gigs and Tours has implemented a data breach record. In the event of a personal data breach, Gigs and Tours will analyse the source and formalise recommendations to address the risk(s). The recommendations will be followed to limit the risk of a repeat incident.