Privacy

Cross Hands Hall, Cinema and Community Centre ("we", "our", "the Centre") is committed to protecting the privacy and security of the personal data we collect and process. As a community hub and cinema, we handle data from trustees, volunteers, employees, customers, hirers, and visitors. 

This policy ensures that the Centre complies with data protection legislation (including the UK GDPR and Data Protection Act 2018), protects individual rights, and maintains community trust. 

We will ensure that all personal data is handled according to the core principles of data protection. Data must be: 

• Lawful, fair, and transparent: Processed with a valid legal basis and clear communication. 

• Purpose limitation: Collected only for specific, explicit, and legitimate purposes (e.g., ticket bookings, hall hire agreements). 

• Data minimisation: Adequate, relevant, and limited to what is necessary. 

• Accuracy: Kept accurate and up to date. 

• Storage limitation: Kept only as long as necessary for its intended purpose. 

• Integrity and confidentiality: Handled securely to protect against unauthorised or unlawful processing, loss, or damage.

To run the cinema and community centre efficiently, we may collect and process: 

• Contact Information: Names, addresses, email addresses, and phone numbers (e.g., from event ticket buyers, newsletter subscribers, and room hirers). 

• Financial Information: Payment details for tickets, donations, or room hire (processed securely via third-party payment gateways; we do not store raw card details). 

• Personnel Data: Employment history, tax details, and emergency contacts for staff and volunteers. 

• CCTV Imagery: Video footage captured by security cameras on the premises for safety and crime prevention.

We only process personal data when we have a lawful reason to do so: 

• Contractual Necessity: To fulfil ticket purchases, process room hire bookings, or manage employment contracts. 

• Legal Obligation: To maintain financial records for tax purposes or report accident logs. 

• Consent: To send marketing emails, newsletters, or cinema listings (which can be withdrawn at any time). 

• Legitimate Interests: To operate CCTV for security purposes, or to manage day-to-day volunteer schedules.

We take security seriously and implement appropriate measures to keep data safe: 

• Digital Records: Password-protected computers, secure cloud storage with restricted access, and up-to-date antivirus software. 

• Physical Records: Paper forms, booking logs, or personnel files are kept in locked filing cabinets accessible only to authorised staff/trustees. 

• Third-Party Processors: When using external software (e.g., cinema ticketing systems, email newsletter tools), we ensure they are fully compliant with UK data protection standards. 

Personal data will not be kept longer than necessary. 

• Booking and Ticket Sales: Kept for the duration required by financial regulations (typically 6 years for accounting purposes). 

• Marketing Lists: Kept until an individual unsubscribes or requests removal. 

• CCTV Footage: Automatically overwritten after 30 days, unless required for an ongoing investigation. 

• Volunteer/Staff Records: Kept for 6 years after their association with the Centre ends.

Under data protection law, individuals have rights regarding their personal data. Anyone interacting with the Centre has the right to: 

1. Be informed about how their data is being used (via our Privacy Notice). 

2. Access the personal data we hold about them (Subject Access Request). 

3. Rectify inaccurate or incomplete data. 

4. Erase their data (the "right to be forgotten"), subject to legal retention duties. 

5. Restrict or object to certain types of processing (e.g., direct marketing). 

Note: To exercise any of these rights, individuals should contact the Centre Management via the contact details provided below. We will respond within one calendar month.

In the unlikely event of a data breach (e.g., theft of a laptop, accidental deletion, or unauthorized access), the Centre will act swiftly: 

• Investigate the cause and contain the breach immediately. 

• Assess the risk to affected individuals. 

• If the breach poses a high risk to individuals' rights and freedoms, we will notify the affected parties and report the breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it.

The Board of Trustees holds overall responsibility for ensuring compliance with this policy. Day-to-day management is delegated to the Centre Manager. This policy will be reviewed every two years or sooner if legislation changes.

For any questions or concerns regarding our Privacy policy, you can contact us via our Contact Us page.