Privacy Policy

Who we are:

We are Sparks Film and Media Arts. Our website address is: https://www.sparksarts.co.uk.

We are a company based, registered and trading in the UK.

What personal data we collect and why we collect it:

We collect personal data from our customers, partners, potential customers and those interested in our services.

This policy aims to provide a breakdown of all the data we collect, store and have access to, along with how we use it, where it comes from, how we store it and process it within our business activities. The policy is designed to be compliant with the terms of the GDPR, introduced in May 2018.

We are both a data controller and a data processor. We mostly utilise the services of external processing agents, however due to the nature of our work as a producer of video works, we do process and store video data and other digital media on a regular basis.

We hold and store some personal data for company records and communications (such as names and addresses), other data (such as credit card details) are processed by secure external providers and we do not hold or store the details ourselves.

Within the framework of this policy, there are some key principles to which we commit:

• We only collect and store data essential to running our core business activities
• We do not buy or resell your data from or to data merchants
• We only use your data in the manners described within this policy
• We strive to keep all your data safe and secure, we don’t share it with anybody beyond the scope of this policy
• Where we send marketing communications, these will be about our services and opportunities you may be interested in as an existing or potential customer. We will
• always respect your preferences and we will always give you the opportunity to opt out of any communications.

We routinely collect and store the following personal data, relating to Customers and Prospective Customers:

• First Names and Surnames
• Personal Addresses
• Telephone Numbers
• Email Addresses
• Names of Customer’s Child/Children
• Dates of Birth
• Details of Medical, Access Support or Other Safeguarding Requirements of Customer’s Children*Δ
• The Names of Schools Attended by Customer’s Children*
• Customer Purchases and Purchase Histories*
• Browsing Data, Website Interactions and Phone Records
• Video/Photographic/Audio Recordings of Work Featuring Customers’ Children

* = Customers only

Δ = Sensitive Data

Sensitive Data:

Under the GDPR, Sensitive Data is any data that reveals:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Data concerning health or a natural person’s sex life and/or sexual orientation

We collect details of any medical/health conditions, as well as details of any access support needs, for the children taking part in our activities. This is so that we can meet the Safeguarding and Health and Safety standards expected of us as a provider of children’s activities and childcare. For instance, in the event of a participant requiring urgent medical attention, we can inform the relevant parties of any information that may prove vital to their care and treatment.

We do not collect any other Sensitive Data.

Credit Card Data

We process payments by credit and debit card, either through our secure online booking portal, or over the phone.

When provided over the phone, the data is entered into a Virtual Terminal and then processed by our credit card transaction suppliers, namely Worldpay and Stripe. This is

undertaken by authorised personnel, each of whom have been trained specifically in this process.

Credit card data is stored by our external Processors, namely Worldpay and Stripe. Both providers are PCI SS compliant and treat your data as secure. We do not store any credit card data ourselves and all data provided to us is immediately destroyed, following PCI SS compliance standards.

Video Data & Digital Recordings

As part of our business activities, we also routinely capture, process, publish and store photographic material, audio and video recordings of our Customer’s children and their

likenesses. This is in line with our core activities as a provider of children’s filmmaking activities and essential to our business purpose.

For further details refer to our Image/Voice/Likeness appendix.

Data Use

All the data we collect is essential for us to be able to effectively deliver our business activities and also to ensure we’re meeting the standards of our Safeguarding Policy and the best practice advice relating to Child Safeguarding more broadly.

We use the data to produce course registers, and to provide customers with information relating to the course. We also use the data to deliver the outcomes of the course, specifically video products and photographs for viewing afterwards.

We also retain and use this data for ongoing communications within our community of customers, partners and potential customers. These include newsletters, promotions and other information that may be of interest to our community, by email, telephone and postal letters. These communications will be limited to relevant courses, and will not be used to promote unrelated products or services. All recipients will have the chance to opt out at any time and we will respect their preferences.

We store data for seven years in order to comply with business and tax regulations. Customers are able to request a copy of any data at any point. After seven years customers have the right to request erasure. Any data relating to child safeguarding will not be erased in order to ensure compliance with child safeguarding regulations.

We regularly act to ensure records are up to date and correct.

Data Acquisition:

The data is supplied to us directly by the Customer or Prospective Customer. It may be entered directly into our database via our website query form or into our online booking system. Otherwise, it may be provided to us over the phone and entered into the system by one of our team.

We do not acquire personal data from any data merchants or resellers and we do not typically share or sell any data with external agents. The only exception to this is data connected to the safeguarding and welfare of the children in our care. For instance, we may share the Names of Customers’ Children and details of their Medical, Access Support or Other Safeguarding Requirements with our operational venue partners, or in the event of any disclosures or cause for concern, we may share further details with the relevant authorities and school contacts. Please see the Sparks Safeguarding Children Policy for further information.

Data Storage

The data is stored in our secure CRM database system, where it is held for future reference and business record purposes.

In line with the GDPR, Sparks will undertake checks and seek assurances that any external providers or processors are GDPR compliant and demonstrate a responsible attitude towards Data Protections and Privacy.

We may also keep additional records, such as paper consent forms. These are stored in locked filing cabinets, or they may be scanned and stored digitally on our secure business server.

Consent

We only collect and store your personal data with your consent, which is given at the time of supplying your data to us. Your consent is important to us and we will not use your data in any other way.

You can choose to remove your consent for us to use your personal data at any time and we will respect your preferences. You also have the ‘right to be forgotten’ and the right for the erasure of your personal data from our database.

In the case of potential customers, we will erase your data entirely. Where a customer has a booking record with us, we will only hold onto details of the booking (including a customer name) for our business records. This will apply for a period of up to seven years, in order to comply with other regulations, after which the data will be erased.

Where data is relevant to any Safeguarding or Child Protection issues, this will not be eligible for erasure and we may need to share this data with other appropriate agencies as required.

In cases where children under 18 provide consent that is not also granted by the parent, the parent’s consent will be treated as the primary consent.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Amendments:

Discussions regarding best practices regarding the GDPR are ongoing and Sparks will continue to seek advice and update this policy accordingly to ensure GDPR compliance. We will update and make available to policy as updates become available.

Privacy

This website uses cookies to better the users’ experience while visiting and accessing content. Where applicable this website uses a cookie control system allowing the user on their first visit to the website to allow or disallow the use of cookies on their computer / device.

Cookies are small files saved to the user’s computers hard drive that track, save and store information about the user’s interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website. Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browsers security settings to block all cookies from this website and its external serving vendors.

The Sparks website uses tracking software to monitor its visitors to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computer’s hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information.

You can read Google’s privacy policy here for further information http://www.google.com/privacy.html.

Other cookies may be stored to your computer’s hard drive by external vendors when this website uses referral programs, sponsored links or adverts. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer. No personal information is stored, saved or collected.

We do not share any data from Cookies with any other companies or individuals.

Image/Voice/Likeness Data and Usage:

As part of our business activities, we also collect records of Image, Voice and Likeness data, mostly in the form of video recordings, but also digital photographs and audio recordings. This is in line with our core activities as a provider of children’s filmmaking activities and essential to our business purpose.

With image/voice/likeness data, which may refer to video footage, audio recordings or photographs, we process (“edit”) the data to form complete creative products (“works”). These works are then typically stored by us as their own entities, along with any composite parts, such as unedited video footage.

Data Acquisition:

We acquire this data through the course of our activities, with participants capturing their images, voice and likenesses as a direct consequence of their participation.

Processing:

Data is captured onto storage drives (e.g. SD cards) using equipment such as camcorders and then transferred onto password protected computer hard drives. This process takes place offline and is only undertaken by authorised personnel, who receive training in managing these processes.

Often, this work is undertaken by Sparks ‘Contractors’, using their own equipment. Each Contractor is approved by the Sparks management and receives specific training/briefings regarding confidentiality and appropriate use of material. Confidentiality and Privacy clauses are included as standard within their contracts.

We request that all video data is deleted by Contractors within three months, following its ‘sign off’ or approval.  We also perform checks to ensure that this routinely takes place.

Storage:

We store videos on a variety of external Processors (for instance YouTube and Vimeo), as well as offline on hard drives. These are all password protected and encrypted by default. We only use processors who are both reputable and assure of their compliance with the GDPR.

Publishing:

We will publish the works and share them with Customers, both on DVD and online using the relevant Processors. Some videos will be published more widely as demonstrations of our activities and as a record of our creative work, for instance on our website, social media channels, our YouTube channel and submission into film festivals. For additional information, please refer to the Publishing Policy.

We also share photographs on our website, in our email newsletters and on our social media channels. These photos form a record of particular events and demonstrate our activities to our community.

We grant third-party Licence Agreements, enabling Contractors or other approved Contacts to share video productions (and composite recordings) as part of their portfolio or as part of their events. One of the conditions of this Licence is that Sparks company marks (e.g. Logo and Business Name) are clearly displayed on the product, along with acknowledgement that Sparks is the copyright holder and the Sparks company contact details.

Consent:

We specifically seek out Image Release consent (extending to voice and likenesses) in perpetuity from the parents or guardians (typically the “Customers”) of the children taking part in our activities. From 25^th May 2018, where children are aged 13 and over, we also seek their additional consent to Image, Voice and Likeness release.

This consent is imperative to our work and we cannot operate without it, therefore it is a key condition when booking to take part.

In the event of consent refusal, or withdrawal, we will always try to be ‘reasonable’. For instance, it may be possible for a child to take part solely behind the camera, so that their image does not appear in any video data. This refusal must be stated by the Customer at the time of booking, or at the first ‘drop off’ of the child to an activity. Refusal after this point will be treated as “Withdrawal.”

In the event of consent withdrawal, we can only consider the removal of specific image data where there is a genuine case for the safeguarding and protection of a child’s wellbeing, i.e. if a vulnerable child is likely to be identified through the use of their image in a video work. This is due the difficulty involved in extracting individual images and the negative impact it will have on the artistic quality of the works. Where there is a concern connected to Safeguarding or Child Protection, we will explore the possibilities of removing images, however in these instances, it is more likely that the entire work will be withdrawn from publication. Outside of these grounds, we are unable to remove a participant’s Image/Voice/Likeness after their participation.

Limitations:

We are unable to withdraw or remove Image/Voice/Likeness data where works have already been published and data is already in the public domain, e.g. DVD products featuring specific works, or photographic materials in books or magazines.

Amendments:

Discussions regarding best practices regarding the GDPR are ongoing and Sparks will continue to seek advice and update this policy accordingly to ensure GDPR compliance. We will update and make available to policy as updates become available.