BASIC PRINCIPLES WHEN COLLECTING, UTILIZING OR STORING PERSONAL DATA
The key rules set by GDPR can be summarized in following eight principles:
We have the obligation to always inform individuals that we are collecting their personal data and how we do this. In other words, we have to be transparent about the purpose for, and ways of utilizing the personal data. Also, we need to ensure that individuals know how they can contact us.
The right way to inform individuals is through a privacy statement. Stage Entertainment has templates of privacy statements available.
Please ask your Data Protection Country Leader for a privacy statement template if you are collecting personal data.
Every processing of personal data should always start with defining the specific purpose you have to collect, process and store personal data. It is legally forbidden to use personal data other than for the purpose for which they were originally collected, unless you have another lawful entitlement to do so.
Please verify with your Data Protection Country Leader if you intend to use personal data based on a lawful entitlement such as legitimate interest or contractual obligation.
Ensure the Basis is Lawful
Please make sure you have one of following lawful legal basis for processing personal data:
- An explicit consent given by an individual to process their personal data. Examples are subscriptions for a newsletter, sweepstake, or application of audition or solicitation;
- Adhering to our obligations under the contract to which an individual is a party. Examples are obligations under employment contract such as salary payments and social security registration, or notifying ticket buyer about cancellation of a performance;
- Legitimate interest of Stage Entertainment. An example is marketing to existing customers about products similar to the ones they have purchased before;
- Other lawful entitlements can – for example – be adhering to a legal obligation, acting in accordance with the public interest, or protecting the vital interests of an individual.
If you are unsure, please ask whether the basis you have in mind, can be considered lawful when starting a new process.
Please always consult with your Data Protection Country Leader if you intend to use a lawful interest other than consent.
We have to ensure that the personal data are kept confidential and processed securely. So, never disclose or give access to the personal data to others if they do not have a clear and defined "need-to-know". Never disclose personal data to individuals or entities outside of Stage Entertainment unless you are sure we have entered into a specific data protection agreement with them. Please follow the security guidance of your IT department and always consult with your IT department prior to using any application or data service. If a data leak or security incident happens, please minimize any further damage and notify the event immediately to firstname.lastname@example.org.
Keep Data Accurate
Please keep all personal data under your mandate accurate and request an update from individuals if the personal data might be obsolete.
Minimize and Delete
Always collect the minimum amount of personal data needed for the purpose you identified. Do not store personal data extensively and delete personal data once these are no longer needed or your entitlement to process personal data has expired.
Please apply common sense for now; guidelines for specific retention periods will be issued soon.
Apply Privacy by Design
When starting a processing of personal data, always select the most privacy-friendly option to protect the rights of the individual. You may be asked – in the coming period – to review the data processing registers Stage Entertainment build, which will need to give a full overview of all business processes in which Stage Entertainment utilizes personal data. Please review this carefully, and let your Data Protection Country Leader know if you miss any process.
Please consult with the Data Protection Country Leader if you intend to collect or process personal data in a new manner or with a new party/entity.
We are accountable to prove to the Public Authorities we are meeting the GDPR requirements. As said above, you may be asked to fill-in registers for processing activities under your mandate. Note: Further, you should be aware that individuals have the right to request access to all information we store about them. Therefore, keep all records accurate and up-to-date, and do not make any notes about individuals which would cause unease in case these are disclosed. This applies mainly to auditions and solicitant interviews.
Please, always follow the principles above and additional internal guidelines, and consult with your Data Protection Country Leader whenever necessary.