top of page

Burrington Parish Room Ltd GDPR Policy


Burrington Parish Room Ltd (BPR) is committed to a policy of protecting the rights and privacy of individuals. We need to collect and use certain types of data in order to carry on our work of managing the Hall.
This personal information will be collected and handled securely. Personal data relates to information about living individuals who can be identified from that data and the unlawful use of that data could cause an individual’s damage or distress.
BPR is legally obliged to follow rules relating to any personal data that it stores or uses, whether in hard copy or on a computer, memory stick, disc or mobile phone, as laid down in the Data Protection Act 1998 and General Data Protection Regulations (GDPR).
This policy sets out the guidelines that all trustees and volunteers must follow to comply with these legal rules. Personal data held in the following media are covered:

  • ​Paper documents such as hiring agreements, key holder lists and audience review forms.

  • Computer and paper files holding trustee, volunteer and user data such as names, addresses, dates of birth, telephone numbers, email addresses and bank account details.

  • Email addresses of audience members who have asked to be informed of future productions.

  • Photographs of identifiable users taken for website or advertising material stored on mobile phones, computers or memory sticks.

  • Advertising material displaying identifiable contacts.

Our Obligations and Responsibilities for the Holding of Personal Data
The Directors of Burrington Parish Room Ltd will abide by the following obligations and responsibilities regarding personal data obtained lawfully for the purposes of managing the Hall:


1. BPR will maintain a register of personal data held within its systems, stating the purpose of holding the data, its legal basis (see below), the responsible Director and how and where the data is kept. All reasonable steps will be taken to ensure that personal data held is accurate, current and still required.

2. No personal data will ever be collected without the knowledge of the individual concerned. Personal data must only be kept for the purposes for which it is collected and not used for any other purposes or shown or given to any third party. Access to personal data will be limited to trustees and volunteers where appropriate.

3. Personal data requested will be limited to only what is strictly necessary for the purposes for which they are being held and processed.

4. Personal data is confidential and must be stored safely and securely: - any computer or mobile phone holding any personal data must be protected by a secure access method or pass code (not easy to guess) and appropriate anti-virus software. - paper documents such as hiring agreements will not be copied and the originals will be filed securely until reviewed.

5. Individuals have the right to view their personal data, request confirmation as to whether or not their data is being used and for what purpose, request to have their data rectified if it is found to be inaccurate or incomplete and request that their data is deleted. In addition, personal data must not be kept for longer than is necessary: - requests made to UVH to view personal data will be dealt with in a timely manner and in never more than 30 days as required by law. - personal details will be deleted immediately if such action is requested.

6. Emails from current or prospective users of the hall, addressed to official hall email addresses, will only be kept for as long as is operationally necessary and to ensure this, the responsible trustees will conduct regular purges of their mail boxes.

7. Emails to distribution lists of people other than trustees must always use the blind copy (bcc) function to ensure confidentiality of email addresses. Such emails will regularly ask if the recipient still wishes to receive such communications. If the answer is no then the recipient’s email address will be immediately deleted from our system.

8. The operation of this policy will be regularly reviewed along with all other UVH policies and procedures.

9. A copy of the most recent version of this policy will be posted on the UVH website under Facilities Management.


Lawful Bases

Under GDPR every category of personal data must have a lawful basis to enable the data to be held and processed lawfully. There are six available lawful bases for holding and processing personal data and for each category of data we have to choose which basis is most appropriate and record this. Lawful bases require that processing is necessary for a particular purpose. If you can reasonably achieve the same purpose without holding and processing the data, you do not have a lawful basis and so should not be collecting that category of data. The available legal bases are as follows:


(a) Consent: the individual has clearly consented to the processing of their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract we have or are about to have with the individual. (c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for our legitimate interests with regard to the management of the Hall.


At BPR we are unlikely to have categories of personal data falling under legal bases (d) and (e). The legal basis of each category of personal data that we process will be recorded on our register of personal data.



In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, BPR shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office within 72 hours as required by law.


Privacy Notice

The following privacy notice will be prominently displayed on our website:

Burrington Parish Room Ltd uses personal data for the purposes of managing the hall, its bookings and finances, running and marketing events at the hall, staff employment and any fundraising activities. Data may be retained for up to 7 years for accounts purposes and for longer where required by the hall’s insurers. If you would like to find out more about how we use your personal data or want to see a copy of information about you that we hold, please contact the Hall Manager.

Burrington Parish Room Ltd General Data Protection Regulations (GDPR) Policy Version 1.02, 16.01.20


Individual Director Responsibilities

All Directors are individually responsible for adherence to this GDPR policy. However, responsibility for its administration and regular review rests with the Secretary.

bottom of page