Data Protection and Privacy Policy

May 2023

About Us

Creative Crawley is a Charity Incorporated Organisation no: 1195308.

Creative Crawley needs to gather and use certain information about whom it deals with in order to operate. These include our employees, our customers, our audiences, consultants, suppliers, and other people we have a relationship with or may need to contact.

We are committed to operating in accordance with relevant privacy and data protection legislation and to ensuring staff are appropriately trained and supported to achieve this. This policy describes how personal data must be collected, handled and stored to meet the company’s data protection standards, and to comply with the law. It also explains how we use this information and individuals rights in this regard.

We are registered with the Information Commissioner’s Office What data is relevant?

Data Protection legislation is concerned with the use of personal data, held on

electronic systems, in paper filing and online identifiers such as location data and cookies.

Personal data is defined by the ICO as data that relates to a living individual who can be identified –

  • from that data, or
  • from that data and other information in the possession of (or likely to come into the possession of) the data controller e.g: expressions of opinion about an individual.
  • from codified records that do not identify individuals by name but, for example, bear unique reference numbers that can be used to identify the individuals concerned.

Special categories of personal data means information that could be used in a discriminatory way, so needs to be treated with greater care than other personal data, i.e: information about:-

  • race or ethnic origin
  • political opinions,
  • religious beliefs or other beliefs of a similar nature,
  • trade union membership
  • physical or mental health or condition,
  • sexual life,
  • commission or alleged commission by the data subject of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.

Who’s who in data processing

A data subject: Anyone whose data is processed.

A data controller: The organisation/ person who decides how personal data will be processed. Data controllers will usually be organisations, but can be individuals, for example self-employed consultants.

A data processor: Any person (other than an employee of the data controller) who processes the data on behalf of the data controller, e.g: external payroll service providers.


In line with the GDPR we will ensure that when we process personal data we have the data subject’s consent and that the data subject has been made aware that they have the right to withdraw their consent. Consent must be:-

  • Specific to the purpose for which we are using the data.
  • Unambiguous
  • Active not implied: Silence is not consent; pre-ticked boxes, inactivity, failure to opt-out or passive acquiescence will not constitute valid consent.
  • Freely given: Consent will not be valid if the data subject does not have a genuine and free choice or cannot refuse or withdraw consent without detriment.

What personal information do we collect and process?

We are required to have a lawful basis for processing personal data and the new legislation places emphasis on us being accountable for, and transparent about this.

There are 6 lawful bases for processing an individual’s data, which are:

  • Consent: we have been given clear consent to process personal data for a specific purpose
  • Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests
  • Contract: the processing is necessary for a contract
  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)
  • Vital interests: the processing is necessary for us to protect someone’s life

Crawley College, College Road, Crawley, West Sussex, RH10

1NR | @CreativeCrawley | Charity Incorporated Organisation no: 1195308

  • Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law

In most cases, our lawful basis for processing data will be Consent, Contract, Legal obligation and Legitimate interest.

We collect information if:

  • A data subject has visited our website
  • A data subject has signed up to our mailing list
  • A data subject completed an online or paper feedback form following one of our events, participatory projects, workshops, talks or other activities.
  • A data subject has contacted us via email, via the contact form on our website or otherwise.
  • A data subject has interacted with us on social media, either directly or indirectly. From time to time we save anonymised social media feedback and conversations for evaluation purposes.
  • A data subject has donated money to us either via our website, JustGiving, cheque, cash, services in kind or given money in return for a product from our shop.
  • A data subject has told a venue where we are holding an event or partner organisation co-presenting one of our projects, that you are happy for them to pass on your contact information to us.
  • A data subject has submitted a job application, sent us your cv or applied to work with us in any context including volunteering.
  • A data subject has signed up to or attended one of our workshops, events or activities.
  • A data subject has been contracted by us to provide a service or participated in one of our projects.

Data Protection Principles

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  • Be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
  • Be obtained only for specific, lawful purposes
  • Be adequate, relevant and not excessive
  • Be accurate and kept up to date

Crawley College, College Road, Crawley, West Sussex, RH10

1NR | @CreativeCrawley | Charity Incorporated Organisation no: 1195308

  • Not be held for any longer than is necessary for the purpose for which they are processed
  • Be processed in accordance with the rights of data subjects (these include: the right to be informed that processing is being undertaken; the right of access to one’s personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is factually inaccurate or misleading)
  • Be protected in appropriate ways – organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  • Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.

Creative Crawley will manage appropriately and apply strict criteria and controls to ensure that it implements the DPA in accordance with the eight data protection principles, and with relevant government standards and guidance.

Handling Personal Information

Creative Crawley staff must understand their responsibilities with respect to the proper handling of data, and ensure that:

  • Information is collected, processed, held, transferred and disposed of appropriately, with care for its quality and security.
  • The way personal information is handled and managed is regularly reviewed and audited.
  • The only people able to access data covered by this policy, are those who need it for their work.
  • Data is not shared informally.
  • Personal data is not disclosed to unauthorised people, either within the company or externally. Staff should keep data secure by taking sensible precautions that ensure unauthorised people cannot see it.
  • Strong passwords are used and never shared.
  • Data is held in as few places as possible.
  • Staff who work with data take reasonable steps to ensure it is kept as accurate and up to date as possible. Data should be updated as inaccuracies are

Crawley College, College Road, Crawley, West Sussex, RH10

1NR | @CreativeCrawley | Charity Incorporated Organisation no: 1195308

discovered, and marketing databases will be checked regularly (at least every 6 months). If no longer required, data should be deleted and disposed of.

  • The rights of people about whom information is held can be fully exercised under the DPA, including the right to access information.
  • There is someone with specific responsibility for data protection in the organisation

Sharing Data

Creative Crawley may use other organisations’ data and in doing so will ensure that individuals have agreed to this use of their personal data. Individuals have a right to prevent the processing of their details for direct marketing purposes. We will ask that the data has been obtained legally and can be used for the purposes that we need it for.

The Privacy and Electronic Communications (EC Directive) Regulations 2003

There are new restrictions on unsolicited direct marketing activity to individuals by telephone, fax, text/video/picture messaging, email and automated calling systems.

In order to comply with these regulations, Creative Crawley will:

  • Make sure that if an intended recipient has opted out we do not continue to mail them.
  • Continue to provide opt out opportunities in every mailing to ensure compliance with the data protection principle that all personal data held should be accurate and up to date.
  • Make it clear in all mailings who the sender is (otherwise the recipient will be denied the ability to opt out).
  • Make it clear to website users if we use cookies or similar tracking devices, and give them the opportunity to refuse their operation.

Subject Access Requests

All individuals who are the subject of personal data held by Creative Crawley are entitled to:

  • Ask what information the company holds about them and why.
  • Ask how to gain access to it.

Crawley College, College Road, Crawley, West Sussex, RH10

1NR | @CreativeCrawley | Charity Incorporated Organisation no: 1195308

Crawley College, College Road, Crawley, West Sussex, RH10

1NR | @CreativeCrawley | Charity Incorporated Organisation no: 1195308

  • Be informed how to keep it up to date.
  • Be informed how the company is meeting its data protection obligations.

If an individual contacts the company requesting this information, this is called a subject access request. We will always verify the identity of anyone making a subject access request before handing over any information.

In certain circumstances, the DPA allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances Creative Crawley will disclose requested data. However, we will ensure that the request is legitimate, seeking assistance from the board where necessary.

Deletion of data

Data subjects have the right to request to be “forgotten”, Creative Crawley will delete records in line with GDPR as follows:-

  • When processing can cause substantial damage or distress.
  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual objects to the processing and there is no overriding legitimate

interest for continuing the processing.

  • If the personal data was unlawfully processed. Providing Information

Creative Crawley aims to ensure that individuals are aware that their data is being processed, and that they understand:

    • How the data is being used
  • How to exercise their rights

Stay in the loop