Internal Privacy Notice

This is STAR's Internal Privacy Notice from 20 July 2022.

Who we are

We are The Society of Ticket Agents and Retailers, a company limited by guarantee and registered in England and Wales under registration number 03453544 and our registered office is at 124 City Road, London EC1V 2NX.

We are the data controller of the personal data we collect and process, as further described in this Privacy Notice. We take our responsibilities under data protection and privacy laws seriously and are also registered as a data controller with the Information Commissioner’s Office (“ICO”) under registration number ZA894374.

When this notice applies

This notice applies whenever we collect and process personal data relating to individuals (“you”, “your”) involved in the administration of STAR including job candidates, employees, former employees, prospective council members, council members and former council members. A separate public privacy notice applies to the processing of data involved in managing the STAR website, handling complaints and organising events at http://www.star.org.uk/privacy-notice/

This notice sets out the basis on which we collect and process your personal data in the circumstances described above, as well as your rights in connection with it. Please read this notice carefully to ensure that you understand how we process the personal data that you provide or that we otherwise collect about you. Please note that this website and our services are not intended for use by children and we do not knowingly collect or process personal data relating to children.

The information we collect about you

Depending on the nature of your relationship and interaction with us, we may collect, use, store and transfer different kinds of personal data about you. We have outlined the ways we do this in greater detail below.

Employment candidates, employees, former employees

To manage staff administration, we may process the following types of your personal data:

  • Identity Data including first name and last name.
  • Contact Data including addresses, email addresses and telephone numbers.
  • Employment history
  • Employment references
  • Interview notes
  • Right to work details
  • Performance management information
  • Attendance information
  • Disciplinary information
  • Bank account, salary and benefits details
  • Health Data including any information regarding health conditions, such as disability status, dietary or allergen information

Prospective Council Members, Council Members, Former Council Members

If you offer to serve on the council and if you are elected or co-opted to the council, we may process the following types of your personal data

  • Identity Data including first name and last name.
  • Contact Data including company, address, email address and telephone numbers.
  • Council application details
  • Council membership and directorship details
  • Employment history and experience information
  • Details of activity as a council member, including in council meeting minutes
  • Bank account details to enable payment of expenses
  • Health Data including any information regarding health conditions, such as disability status, dietary or allergen information

    Sensitive personal data

    Health and disability data may be processed in order to accommodate your needs. Other sensitive data needed to monitor equality, diversity and inclusion will be gathered anonymously.

    How we collect your information

    Where we collect your personal data, this will often be provided directly to us by you. However, there may also be cases where we collect your personal data from other sources, such as from referees or from council members proposing members for co-option.

    Why we collect your information

    STAR will generally collect and use your personal information for the following purposes:

    • Considering employment
    • Administering employment
    • Administering council membership
    • Keeping records of council meetings

    We have set out in greater detail below the purposes and lawful bases of processing your personal data.

    However, please note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

    Prospective Employees, Employees, Former Employees

    Purpose/Activity

    Type of data

    Lawful basis for processing

    How long we will keep your personal data

    To consider applications for employment

    Identity Data

    Contact Data

    Employment history

    Employment references

    Interview notes

    On the basis of negotiations to enter into an employment contract.

    6 months from receipt/collection for unsuccessful candidates.

    Up to 6 years from termination of employment for employees.

    To administer your employment contract

    Identity data

    Contact data

    Performance management information

    Attendance information

    Disciplinary information

    Bank account, salary and benefits details

    Health Data including any information regarding health conditions, including pregnancy, illness, disability status, dietary or allergen information

    On the basis of your employment contract.

    The additional condition for processing any sensitive data is that the information is necessary to fulfil the duties of the employer (UK Data Protection Act Schedule 1, Part 1, Paragraph 1).

    Up to 6 years from termination of employment.

    To provide employment references

    Identity data

    Employment history

    On the basis of your, and our, legitimate interest in confirming your employment details to prospective employers.

    Indefinitely.

    Prospective Council Members, Council Members, Former Council Members

    Purpose/Activity

    Type of data

    Lawful basis for processing

    How long we will keep your personal data

    To manage changes to council membership through elections and co-options

    Identity Data

    Contact Data

    Council membership application details

    Interview notes

    Directorship/council membership details

    Employment history and experience information

    Bank account details

    Necessary for our legitimate interests in administering council membership

    6 months from receipt/collection for unsuccessful candidates.

    Up to 6 years from termination of council membership.

    To keep records of council meetings

    Identity Data

    Details of meeting participation (e.g. minutes)

    Legal obligation (Companies Act)

    Council meeting minutes are retained indefinitely

    If you fail to provide personal information

    Please note that if you fail to provide certain personal data when requested, then we may not be able to progress your employment or council membership application.

    Third parties

    There may be certain circumstances under which we need to disclose your personal information to certain trusted third parties. The recipients of your personal data will depend on the nature of your relationship with us, as further described below.

    We may share your personal data with the following third parties:

    • Service providers we rely on to process personal data on our behalf, such as specialist providers of IT and other technology-based services.
    • Our professional advisors.
    • Regulatory authorities, law enforcement agencies, trade organisations and bodies (such as the Chartered Trading Standards Institute) and courts.
    • In the event of a reorganisation of all or part of STAR’s activities, the party ultimately assuming conduct of those activities and their professional advisors, including in connection with any sale, restructure, merger or takeover of the STAR.

    Storing your personal information

    STAR will keep and process your personal information only for as long as it is necessary for the purposes for which it was collected, unless we have a legal right or obligation to retain the data for a longer period. We have set out the relevant periods above.

    To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Any data deemed no longer relevant is deleted.

    Generally, where information is related to a contractual relationship then we will store data for 6 years from the date of termination of the contract. However, other types of information will be retained for reduced periods in line with the criteria above. For more information about how long we store specific types of data then please contact us using the contact information provided below.

    Security of your personal information

    We will put in place appropriate safeguards (both in terms of our procedures and the technology we use) to keep your personal information as secure as possible. We will ensure that any third parties we use for processing your personal information do the same.

    International transfers

    In some circumstances we may need to transfer your personal data to recipients located in jurisdictions outside of the UK/EEA, including some destinations which do not have equivalent data protection laws to the UK/EEA.

    However, when we transfer your personal data in this way we always ensure that an equivalent degree of protection is in place by ensuring that the recipient enters into specific contractual safeguards approved for use by the ICO. For more information about how we use approved contractual safeguards, please contact us using the contact information provided below.

    Your rights to to your personal information

    In certain circumstances you have the right to:

    • Request access to your personal data (data subject access request).
    • Request correction of any incomplete or inaccurate personal data that we hold about you.
    • Request erasure (deletion or removal) of your personal data.
    • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
    • Request restriction of processing of your personal data.
    • Withdraw consent at any time where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdrew your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

    You will not have to pay a fee to access your personal data or exercise any of the other rights set out above. However, if your request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee or refuse to comply with your request in these circumstances.

    Please note that we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

    We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

    Please use the contact details at the end of this notice if you would like to exercise this right.

    Our use of cookies

    Our website uses cookies to help maintain the security of our site and improve your online experience. A cookie is a text file that is placed on your computer by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you. Our website uses cookies and similar technologies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and allows us to improve our website.

    When you first visit our website, we will ask you whether you consent to us setting cookies that are not essential to provide you with our online service. In addition, you can change your cookie preferences at any time by accessing our Privacy Overview or you can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

    For more information about the cookies we use, please see our Cookies Policy.

    Complaints

    In the event that you have a complaint about our treatment of your personal information, then we would welcome the opportunity to address this with you in the first instance. However, you also have the right to lodge a complaint with the supervisory body, the ICO, and details of how do to this are set out at https://ico.org.uk/make-a-complaint/.

    Changes to the Privacy Notice

    We may change this notice from time to time to account for changed regulatory conditions or processing activities. You can always find the most up-to-date privacy notice on our website at www.star.org.uk.

    Contact details

    Please get in touch with us if you have any questions about any aspect of this privacy notice.

    Postal address: STAR, PO Box 708, York, YO1 0GT
    Email address: info@star.org.uk

    Last updated: July 2022, Version 1.0