Swansea Bay Street Markets Ltd. respects and values privacy – this policy outlines key information to tell you how we gather, process and store data. There is a separate privacy policy for staff and associates.
As a general principle, we will only gather, process and/or store data that is necessary and we do so in compliance with the General Data Protection Regulation (GDPR) that takes effect on 25th May 2018.
This policy affects your use of our website and any other digital means of gathering data from you.
Your use of our website is contingent on your understanding and acceptance of this policy and we deem you to have understood and accepted this if you access our website.
If you do not accept and agree with this policy then you may not use our website and if you have accessed this policy online via our website then you must leave our website immediately.
We always try to communicate using plain English, but there are some terms that require definition in order for you to understand this document, as follows:
a “Cookie” is a small text file placed on your computer or device by a website and/or a third party (e.g. Google) when you visit a website – use of cookies is governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003, sometimes referred to as “Cookie Law”;
a “data controller” determines the purposes and means of processing personal data;
a “data processor” is responsible for processing personal data on behalf of a controller;
a “data subject” is a living individual to whom data relates;
“personal data” is defined by the UK Information Commissioner’s Office (ICO) as “
“We/Us/Our/The company” means Swansea Bay Street Markets Ltd., a not for profit company limited by guarantee, registered in England under company number 08560047;
, whose registered office is The Engine Room @HQ, Llys Glas, Alexandra Road, Swansea, SA1 5AJ; and
“Our/This Site” means: www.swanseabaystreetmarkets.co.uk
At times, we will be a data controller, and at other times we will be a data processor.
information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier” – the ICO further clarifies that this relates to ‘living any individuals’
The overriding principles are that the gathering, processing and storing of data has a legal basis and that it is fair. Part of the process of making it fair is to be open and honest about the data we collect. If at any time you are concerned or wish to know more about how we collect, process and store data then you can contact us via our website and we will do our best to help.
Before gathering, processing and storing any information, we have an internal test where all those gathering data, whether on staff or from a third party that we contract, can clearly articulate why we need to gather that personal data and what our legal basis for doing so is. We also determine in advance the length of time for which we will need to retain that data.
At the outset, prior to collecting data, we also consider any risks posed to the individual, for us and our clients and balance the need to gather data against risks.
Once we have determined that we do need to gather, process and store personal data, then we will always be clear about:
who we are and how we can be contacted (in using Our Site we work on the basis that this is already clear, in any other instances we will clearly identify ourselves and what we do in advance);
who we are collecting the data for;
who else we may share the data with (if anyone); and
what data we are collecting (including whether it is anonymous) and how we will do it.
Sometimes we will be gathering data for ourselves, sometimes we will gather it for a third party.
Where a third party is a data controller and we are the data processor we will satisfy ourselves in advance that their privacy policy is acceptable and, where necessary, we may also draw attention of data subjects to the privacy policies of those third parties. We will not contact you to make you aware of this where it is a legal requirement for us to pass on personal data that you provide.
This policy applies to your use of Our Site and other ways in which we gather, process and store data. Our Site may contain links to other websites – please note that We have no control over how your data is collected, stored, or used by other websites and We advise you to check the privacy policies of any such websites before providing any data to them.
As a data subject, you have the following rights under the GDPR, which this Policy and Our use of personal data have been designed to uphold:
the right to be informed about Our collection and use of personal data;
the right of access to the personal data We hold about you;
the right to rectification of any personal data We hold about you is inaccurate or incomplete;
the right to erasure (often called the ‘right to be forgotten’) – i.e. the right to ask Us to delete any personal data We hold about you – please note that this right is not absolute and only applies in certain circumstances, we give a summary of this below;
the right to restrict (i.e. prevent) the processing of your personal data in certain cases;
the right to data portability (obtaining a copy of your personal data to re-use with another
service or organisation) in certain cases (see summary below);
the right to object to Us using your personal data for particular purposes in certain cases (this too is summarised below); and
rights with respect to automated decision making and profiling.
If you have any cause for complaint about Our use of your personal data, please contact Us using the details provided below and We will do Our best to solve the problem for you. If We are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.
This policy is designed to give a summary of your rights but it is not a legal document or legal interpretation. If you want to obtain further information about your rights, you can contact the Information Commissioner’s Office (ICO) or your local Citizens Advice Bureau.
Depending upon your use of Our Site, from time to time We may collect some or all the following personal, and non-personal data (see section on Our use of Cookies and similar technologies below) – our gathering of this information may be for a specific task, such as a survey, or it may be through the contact form if you get in touch with us.
Whenever we gather data about you directly using our website we will always make this clear at the time and you will have to take an action to submit the data by ticking a box or filling in a form and clicking on something to submit that information.
The type of information that we may ask for from time to time may include:
your name;
business/company name;
job title/profession;
contact information such as email addresses, telephone numbers, postal addresses and postcode;
demographic information such gender, ethnicity, religious beliefs, preferences, and interests;
your engagement or non-engagement with certain activities/institutions/organisations;
IP address;
web browser type and version;
operating system;
quality control data (e.g. ‘scores on the doors’);
your bank account details;
a list of URLs starting with a referring site, your activity on Our Site, and the site you exit to; and/or
your opinions.
The list above is not exhaustive.
We will only collect, process and store personal data for the reasons for which it is first collected, which we will state clearly at the time it is gathered (this includes use of this Site).
Occasionally we undertake surveys where we do not require personal identifiers such as name, address, postcode and the like and data may be anonymized and used in aggregate – this means that we are interested in the overall opinions of a group of people. Where we do this, your data is anonymous and we construct such surveys so that it is not possible to identify an individual from their responses (this includes setting any e-surveys not to collect IP addresses).
If we conduct an anonymous survey but it could still be possible to identify an individual from their responses than it is treated as if you have supplied us with personal data, though this is unlikely to occur.
We will only hold data that we gather for as long as is necessary and only for the reasons it was first collected.
We will comply with the GDPR requirements to safeguard your rights at all times.
A ‘first party Cookie’ is one that would be placed directly by us and used only by us – presently, this Site does not use ‘first party Cookies’ and will not place these on your computer or device because of your use of this website.
However, in using this site you may also receive certain ‘third party Cookies’ on your computer or device. ‘Third party Cookies’ are those placed by parties other than us. Third party Cookies are not essential for the functioning of this website, but do help us by helping us analyse the use of our site so that we can better understand our audience. Data is aggregated and presented to us in an anonymized format – we do not receive your personal details through any ‘Third party cookies’.
Before third party Cookies that use your personal data are placed on your computer or device, you will be shown a popup requesting your consent to set those Cookies. By giving your consent to the placing of Cookies you are enabling Us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of Cookies; however, as Our Site develops certain features of Our Site may no longer function fully or as intended. You will be given the opportunity to allow only first party Cookies and block third party Cookies that use your personal data.
As Our Site evolves, certain features may be created that will depend on Cookies to function. Cookie Law deems these Cookies to be “strictly necessary”. Your consent will not be sought to place these types of Cookies, but it is still important that you are aware of them. You may still block these Cookies by changing your internet browser’s settings, but please be aware that Our Site may not work properly if you do so. We will always take care to ensure that your privacy is not at risk by allowing them.
The following third party Cookies may be placed on your computer or device because of using Our Site:
• Google Analytics
Our Site uses analytics services provided by Google Analytics. Website analytics refers to a set of tools used to collect and analyse anonymous usage information, enabling Us to better understand how Our Site is used. This, in turn, enables Us to improve Our Site and the products/services offered through it. You do not have to allow Us to use these Cookies, however Our use of them does not pose any risk to your privacy or your safe use of Our Site, and it does enable Us to continually improve Our Site, making it a better and more useful experience for you.
Note that as Our Site evolves, the third-party cookies that we use may change, so you should regularly check this policy for updates.
In addition to any controls that We provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third party Cookies. By default, most internet browsers accept Cookies but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.
You can choose to delete Cookies on your computer or device at any time, however you may lose any information that enables you to access Our Site more quickly and efficiently including, but not limited to, any login and personalisation settings that we may add from time to time.
It is recommended that you keep your internet browser and operating system up-to- date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.
With the exception of any links to data processers acting on our behalf (see below) all links on this Site to third party websites are provided solely as a convenience to you. If you use these links, you will leave Our site. Unless the site we link to has a function to control data for us (i.e. they would be our data processor) we will not review the privacy policy of third party sites and we do not have any control of, nor will we be held responsible for any of these sites, their content or their privacy policy. We do not endorse or make any representations about them, or about any information, software or other products or materials found there, or about any results that may be obtained from using them. If you decide to access any of the third-party sites linked to this site,you do so at your own risk.
Where any third-party website links are for the purposes of our gathering data (e.g. a link to an online survey platform that we may use to help us to gather data) we will make that clear everywhere the link is posted and we will have checked that the data processor is GDPR compliant and also that they are compliant with our own high standards of privacy.
The following table summarises the various forms of lawful basis for gathering data and your rights to erasure, portability and to object for each (table adapted from ICO guidance):
|
Right to erasure |
Right to portability |
Right to object |
|
|
Consent |
Yes |
Yes |
No* |
|
Contract |
Yes |
Yes |
No |
|
Legal obligation |
No |
No |
No |
|
Vital interests |
Yes |
No |
No |
|
Public task |
No |
No |
Yes |
|
Legitimate interest |
Yes |
No |
Yes |
|
*but with the right to withdraw consent |
|||
The ICO defines and exemplifies each of the above as follows:
“(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public
interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)”
Whenever we gather, process or store personal data it will have a clear legal basis as shown in the list above. The principal reasons for us gathering, processing and storing personal data and their lawful basis are as follows:
• where it is for gathering opinion (e.g. as a survey of market visitors or of retailers/traders permanently located in areas where we hold markets) or for our own or other’s marketing (including photography where the individual is clearly the subject of the photograph and is not someone that are in a contractual relationship with), then our lawful basis will be consent and we will ask you if you (or a legal guardian/carer for children and vulnerable adults) wish to provide this data (you have the right to withdraw your consent to Us using your personal data at any time, and to request that We delete it);
where we have entered into a contract with you either because you are receiving a product/service from us or where we are receiving a product/service from you, then our legal basis will be contract – this includes photography that features staff/volunteers of an organisation with whom we have a contractual basis where the individuals are over 18 and are not a vulnerable adult (but we will always be sensitive to any requests not to take photographs of certain individuals);
where we gather data to comply with regulation imposed by law, for example for Local Authority licensing requirements, or for record keeping that we are legally obliged to conduct such as maintaining accounts, then our legal basis will be legal obligation;
where we gather information for health and safety or other general safeguarding purposes (for example details of traders where there is a higher fire risk), then our legal basis is vital interests;
occasionally we may be commissioned by a public body to gather data that will assist them in fulfilling non-statutory roles that are in the public interest – usually consent will still be the lawful basis for gathering personal data in these circumstances but occasionally it may be public task, and where it is we will make this clear; and/or
there is certain personal data that we deem to be in our legitimate interest to gather, such as: analytics for use of Our Site; data from past traders who we think reasonably still have an interest in hearing from us and/or key individuals in formal roles (e.g. employees of public bodies and limited companies) that have participated in/collaborated with us in delivering the markets and other events - we use these for marketing and communications purposes; and photography at events that we may run or participate in. If an individual is clearly the subject of the photograph and is not a trader then this will fall under consent, where the individual is a trader then we consider this to fall under contract, but where images are taken of crowds, where a person’s features may be visible but where they are not clearly the subject of the photograph (e.g. long shots of crowds) and where traders are depicted who no longer trade with us, then our lawful basis is our legitimate interest. We will, wherever possible, post information at venues and locations to make it clear that photographs may be taken and we will respect any requests from individuals not to have the photograph taken. In all instances, we will always pay care and attention to safeguarding of children and vulnerable adults.
We will not send you any unsolicited marketing/spam and will take all reasonable steps to ensure that We fully protect your rights and comply with Our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
We use third party providers to host our website and to provide third party cookies (see below) and also for our online backups of our administrative files. As a result, some or all of your data when using our websites and data that we collect about you that is stored on our own systems could be stored outside of the European Economic Area (“the EEA”) (which consists of all EU member states, plus Norway, Iceland, and Liechtenstein). If We do store data outside the EEA, We will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK and under GDPR.
We provide reasonable safeguards for use of your data – key measures are as follows:
check that any suppliers who may process data on our behalf are compliant with GDPR;
using SSL connections for email;
use secure username/passwords for our electronic data storage devices;
never store personal data on USB or similar portable drives;
maintain an ability to remotely delete data from any laptop should it be lost or stolen; and
storing hard copies containing personal information in our offices, transferring data to a secure digital format wherever possible and as soon as possible, and shredding hard copies once they are no longer required.
Although an independent company, Uplands Market Ltd. is an initiative set up by Urban Foundry Ltd. You can find out more about Urban Foundry here:www.urbanfoundry.co.uk. Urban Foundry sets up and provides the day to day administration of the markets, providing our computer systems and all related storage. Therefore, Urban Foundry Ltd. is the data controller and Uplands Market Ltd. is the data processor for the vast majority of information that we collect.
We will only share your data under the following circumstances:
with other projects that are directly affiliated with us where we provide a booking service, including:
o CanolfanLtd.(tradingasUnitNineteen);o SwanseaCouncilforspecialevents;
o SwanseaUniversityforspecialevents.
where the reason for gathering the data is our role as a data processor for a third-party client e.g. survey data that we may gather (in these instances we will have made it clear to you who we are gathering the data for and what it’s purpose is in advance and it is most likely that in these cases the legal basis will be consent, which you are free not to provide);
where we contract with other agencies to provide the services to our clients or to you directly (in these instances we will ensure that the provider is fully GDPR compliant and adheres to our privacy policy as part of their contract with us an in all instances only data necessary for the performance of the task and gathered lawfully will be used);
where the use of our website involves data gathered by a third-party cookie provider (see below);
where we are legally obliged to disclose the data; and/or
(only in exceptional circumstances) where we deem that the safeguarding of an individual overrides their right to privacy.
In all instances We will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, Our obligations, and the obligations of the third party under the law.
We may compile statistics about the use of Our Site including data on traffic, usage patterns, user numbers, sales, and other information. All such data will be anonymised and will not include any personally identifying data, or any anonymised data that can be combined with other data and used to identify you. We may from time to time share such data with third parties such as prospective investors, affiliates, partners, and advertisers. Data will only be shared and used within the bounds of the law.
We use several third-party suppliers as data processors – we have satisfied ourselves that to the best of our ability to check they are all compliant with this policy and in line with GDPR requirements. Their privacy policies can be found on their respective websites:
Dropbox for online backup and filesharing within the company;
Eventbrite for e-ticket sales;
Fasthosts Ltd. for our website and email;
Google for Google Analytics for analysing visitor statistics to our website and Google Maps for the location map on our website;
iZettle for certain financial transactions;
Cooperative Bank for financial transactions; and
Paypal for certain financial transactions.
From time to time we may also use the following for marketing/market research:
MailChimp for marketing; and
SurveyMonkey for online research.
We use social media to market our work and our projects. The data from social media channels never enters our systems, but we will from time to time upload photographs to social media channels on our pages/twitter fees, so you should satisfy yourself of their privacy policies and how you can manage your own data on their sites. We currently use the following social media channels:
• Facebook; and • Twitter
A business is a corporate entity and it is the business that gathers and holds any data. Therefore, any personal data that you have provided will, where it is relevant to any part of Our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Policy, be permitted to use that data only for the same purposes for which it was originally collected by Us and in line with the GDPR regulations. Should the business be sold, you will not be contacted in advance and/or informed of the changes provided that the corporate entity retains the same company number.
In the event that the company were to merge and a new company number created, then you will be contacted about any data we hold about you and how this may or may not be transferred to the new entity.
Should the business cease to trade then all data will be securely deleted/destroyed once all legal obligations for the wind up of the business are met and we will retain a reserve sufficient to cover the costs of doing this.
Under GDPR legislation you have the right to request a copy of any personal data we hold that relates to you and in the areas identified above, to request that we delete that data. We will respond to your request promptly and there will be no cost to you of making or our responding to such a request but it is important that you are clear what you are requesting.
info@swanseabaystreetmarkets.co.uk
The Engine Room @HQ, Llys Glas, Alexandra Road, Swansea, SA1 3RD
If you wish to make a request for information about the data we hold about you then it is important that this request is made clear when you contact us.
We regularly review all our policies and this policy may be updated from time to time to reflect changes in law and/or the evolving nature of how we conduct our business.
We will update the policy on our website as soon as any changes have been made. We will be as open and transparent as we can be with any changes that affect collection of data and draw user attention to any major changes via our blog page and social media. For clients and those that we engage with directly to gather data (rather than via our website) we will always draw their attention to the key issues of privacy at the point of first contact. If you principally (or exclusively) engage with us via our website then your use of the Site is based on the Privacy Policy that is published on the site during each visit to the site, so you should check this policy regularly to keep up-to-date.
This policy was last updated on 25th May 2018.