Privacy Notice & Data Protection Policy Cranleigh Arts Centre


In order to operate efficiently, we must collect information about people with whom we work. These may include members of the public, current, past and prospective employees, current, past and prospective volunteers, and suppliers. In addition, we may be required by law to collect and use information in order to comply with the requirements of central government.

This personal information must be handled properly under the General Data Protection Regulation and Data Protection Act 2018 (‘the GDPR/DPA’). The GDPRDPA regulates the way that we handle ‘personal data’ that we collect in the course of carrying out our functions and gives certain rights to people whose ‘personal data’ we may hold.

We consider that the correct treatment of personal data is integral to our successful operations and to maintaining trust of the persons we deal with. We fully appreciate the underlying principles of GDPR and support and adhere to its provisions.

We are registered with the Information Commissioner’s Office to process personal data Registration Number Z5427214. We are named as a data controller under the register kept by the Information Commissioner in accordance with GDPR/DPA.

What is “personal data”?

For information held by Cranleigh Arts Centre, personal data means any recorded information held by us and from which a living individual can be identified. It will include a variety of information including names, addresses, telephone numbers, photographs of people and other personal details.

Data protection principles

We will comply with the eight enforceable data protection principles contained within the GDPR by making sure that personal data is:

  • fairly, lawfully and transparently processed.
  • collected for specific, explicit and legitimate purposes.
  • adequate, relevant and limited to what is necessary.
  • accurate and kept up to date; erased or rectified without delay.
  • not kept longer than necessary for the purposes required and in line with legislative guidelines.
  • processed in a way that is secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Responsibility for Data Privacy

Cranleigh Arts Centre does not require the appointment of a Data Protection Officer as it is not a public authority and the core or primary activities of the company do not require regular and systematic monitoring of data subjects on a large scale.

Responsibility for Data Privacy within the business is held by the Centre Manager or whoever is fulfilling that role together with a nominated Trustee appointed by the Board of Trustees. Oversight and review of current policy rests with the Chairman and Board and will be made annually.


We will ensure that at least one of the following conditions is met before we process any personal data:

  • the individual has consented to the processing
  • the processing is necessary for the performance of a contract with the individual
  • the processing is required under a legal obligation (other than one imposed by a contract)
  • the processing is necessary to protect vital interests of the individual
  • the processing is necessary to carry out public functions eg. administration of justice
  • the processing is necessary in order to pursue our legitimate interests or those of third parties (unless it could unjustifiably prejudice the interests of the individual)

Under the Act, one of a set of additional conditions must be met for ‘sensitive personal data’. This includes information about racial or ethnic origin, political opinions, religious and other beliefs, trade union membership, physical or mental health condition, sex life, criminal proceedings or convictions. We will ensure that one of the following additional conditions are met before we process any sensitive personal data:

  • the individual has explicitly consented to the processing
  • we are required by law to process the information for employment purposes
  • we need to process the information in order to protect the vital interests of the individual or another person
  • the processing in necessary to deal with the administration of justice or legal proceedings

Individuals’ rights

We will ensure that individuals are given their rights under the GDPR/DPA:

the right to access their personal information from us within one month
the right to withdraw consent or object to the basis for processing
the right to ask for data to be deleted, corrected, restricted or transferred
the right to ask us not to process personal data where it causes substantial unwarranted damage to them or anyone else
If after contacting us with your concerns you feel we have breached the requirements of GDPR/DPA you have the right to lodge a complaint to the Information Commissioners’ Office .

Data Security

Legal requirements

While it is unlikely, Cranleigh Arts Centre may be required to disclose your user data by a court order or to comply with other legal requirements. We will use all reasonable endeavours to notify you before we do so, unless we are legally restricted from doing so.

No commercial disposal to third parties

Cranleigh Arts Centre will not sell, rent, distribute or otherwise make user data commercially available to any third party, except as described above or with your prior permission.

Our commitment to data protection

We will ensure that:

  • everyone managing and handling personal information understands that they are responsible for following good data protection practice
  • there is someone with specific responsibility for data protection in the organisation
  • staff who handle personal information are appropriately supervised and trained
  • queries about handling personal information are promptly and courteously dealt with
  • people know how to access their own personal information
  • methods of handling personal information are regularly assessed and evaluated
  • any disclosure of personal data will be in compliance with approved procedures.
  • we take all necessary steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure


You can download a copy of our privacy policy here.