Privacy and Data Protection Statement

Updated for UK GDPR compliance – December 2025

Version: 1.1
Approved by: Board of Trustees
Approval date: 22th December 2025
Last reviewed: 15th December 2025
Next review due: 15th December 2026

Phoenix Arts Association Limited (Phoenix Art Space) is committed to protecting your privacy. This Privacy and Data Protection Statement explains how we collect, use, store, and protect personal information when you interact with our website, services, or communicate with us online, by phone, email, post, or in person. We process personal data in accordance with the lawful bases set out in this statement.

1. UK GDPR

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 provide individuals with rights and protections in relation to their personal data. Phoenix Arts Association Limited (Phoenix Art Space) complies with these laws and operates in line with the seven data protection principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.

2. Data Protection Act

The Data Protection Act 2018 supplements the UK GDPR in the United Kingdom and sets out additional conditions, safeguards, and enforcement provisions. We also comply with the Privacy and Electronic Communications Regulations (PECR) when sending electronic communications or using cookies.

3. Data Collection and Use

We collect personal information through our website and related services for the following purposes:

  • Monitoring website usage and performance through Google Analytics.
  • Managing enquiries, contact forms, event bookings, and purchases through secure platforms (including Eventbrite and PayPal).
  • Sending newsletters and updates via Mailchimp, where you have chosen to receive them.

These activities are carried out under legitimate interests, consent, or contractual necessity, as set out in Section 4.

4. Lawful Bases for Processing

Our lawful bases for processing personal data under Article 6 of the UK GDPR include:

  • Legitimate interests – to manage memberships, assess applications, administer services, and deliver our charitable objectives.
  • Legal obligations – to comply with employment, safeguarding, financial, and regulatory duties.
  • Contract – to fulfil agreements with staff, freelancers, suppliers, and event participants.

Where we process special category data (such as disability or ethnicity information), we rely on Article 9(2)(g) UK GDPR (substantial public interest) in accordance with Schedule 1 of the Data Protection Act 2018. This processing is supported by an Appropriate Policy Document setting out safeguards and retention periods.

5. Third-Party Processors

We work with trusted third-party processors who meet appropriate data protection and security standards. These include:

  • Google Analytics – website usage and performance monitoring
  • Mailchimp – newsletter distribution
  • Eventbrite – event promotion and bookings
  • PayPal – secure online payment processing

Some of these providers (including Google Analytics and Mailchimp) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as the UK–US Data Bridge or Standard Contractual Clauses.

6. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected and to meet legal, tax, or reporting requirements. In summary:

  • Application data – retained for the duration of membership or Pool List inclusion.
  • Unsuccessful applicants – deleted within 30 days of the decision being communicated.
  • Newsletter subscription data – retained until you unsubscribe.
  • Website analytics data – retained in line with Google Analytics retention settings.
  • Anonymised equality monitoring data – retained for up to 5 years.

When data is no longer required, it is securely deleted or disposed of in accordance with our internal Data Protection Policy.

7. Data Security

We use appropriate technical and organisational measures to protect personal information, including secure servers, encryption (such as SSL/TLS), restricted access controls, and regular system updates. Most data is stored within the UK; where data is processed overseas by trusted partners, equivalent safeguards are applied.

8. Data Breaches

In the event of a personal data breach, Phoenix Arts Association Limited (Phoenix Art Space) will assess the risk to individuals’ rights and freedoms. Where required, we will notify the Information Commissioner’s Office (ICO) within 72 hours and inform affected individuals in line with our Data Protection Policy.

9. Cookies

Our website uses cookies to improve functionality and understand how visitors use the site. We use performance and analytics cookies (including Google Analytics) to help us improve our website. We do not use advertising or profiling cookies. You can manage or disable cookies through your browser settings. Where required, cookie consent mechanisms are provided.

For full details, see our Cookie Policy

10. Your Rights

Under the UK GDPR, you have the right to:

  • Request access to the personal information we hold about you.
  • Request correction or deletion of your information.
  • Restrict or object to processing in certain circumstances.
  • Withdraw consent at any time where processing is based on consent.
  • Request data portability where processing is based on consent or contract.
  • Lodge a complaint with the Information Commissioner’s Office (www.ico.org.uk).

11. Children’s Data

Our website and online services are not primarily directed at children. Where we process personal data relating to individuals under 18, we apply additional safeguards in line with our safeguarding and data protection policies.

12. Contact Us

If you have any questions or requests regarding this Privacy and Data Protection Statement, please contact:

Data Protection Lead: Kate Neave
Email: kateneave@phoenixartspace.org
Phone: 01273 603700
Address: Phoenix Arts Association Limited (Phoenix Art Space), 10–14 Waterloo Place, Brighton, BN2 9NB

13. Review

This Privacy and Data Protection Statement replaces all previous versions and is reviewed annually. The next scheduled review is October 2026.

Donate
Facebook Twitter Instagram