Version 1.00, 21 May 2018
In order to comply with the GDPR, we need to make a clear statement about what personal data we collect, how we store it, and how we use it. Even using a simple list of email addresses comes under the scope of the GDPR (unless it is for strictly domestic use, which running an orchestra obviously is not).
Who are we?
What exactly is Scottish Sinfonia anyway? We are an amateur orchestra, which is organised by the conductor, assisted by a team of volunteer helpers. Legally speaking, Scottish Sinfonia is not a "legal entity": it is not a company, nor a charity, nor any other kind of incorporated organisation.
That means that any personal data held by Scottish Sinfonia is actually held by one of our team of volunteer helpers. The good news is that — as private individuals — we all value our privacy and recognise the need to safeguard our own personal data. Likewise, we will always treat other people's personal data with the same respect and care.
The GDPR applies to individuals as well as to companies, and so all of our helpers are obliged to comply with its requirements, as explained below.
You can contact us via email:
What personal data do we keep, and why?
We keep very little personal data. What we do keep is for two purposes: to enable the administration and organisation of the orchestra, and to publicise the orchestra's concerts. We do not hold any personal data which the GDPR would class as "sensitive", and we do not hold any personal financial information (e.g. bank account or credit card details). What data we do hold, and how we use it, is described in the following sections.
Data kept for administration and organisation
In order to organise the group of players required for each concert, we keep lists of names, email addresses and telephone numbers of players who have played with us previously, and of players who have written to us to express an interest in playing in the orchestra.
If you send us an email to enquire about playing in the orchestra, you should reasonably expect that we will circulate your email: for example, to the conductor, to the leader or a section principal, and to the wind or string section secretaries (who keep lists of players and potential players). Once your name is "on the list", you may expect to receive emails asking if you are available to play in particular concerts; we may also use telephone or text messages, particularly if we need to contact players urgently.
We organise the orchestra using email, phone calls and texts, so we assume that you are happy with this. If you don't want to receive emails, phone calls or texts from us, then the people who organise the players can't invite you to play! Under the terms of the GDPR, it is in our "legitimate interests" to keep lists of players, and to contact players as required in order to organise our concerts.
Data kept to publicise the orchestra's concerts
We run two mailing lists: one using email, and one using postal mail. Since the mailing list data is used for marketing our concerts, it clearly falls within the scope of the GPDR, and we can only send marketing information to individuals who can given their consent for this.
The Email Mailing List
One of the new provisions of the GDPR is that anyone on our email mailing list must give their consent to receive marketing emails, and we must keep a record of that consent. We have always complied with the first condition (since our mailing list uses an automated double opt-in system), but we didn't keep a record of who opted in, and when. As a consequence, we have had to renew our mailing list by sending out an invitation to re-subscribe. This enables us to keep the legally-required record of consent.
We will never sell or pass on your email address to anyone else. We will never send or forward emails from other organisations to you via this mailing list.
The GDPR gives you the "right to be forgotten". If you unsubscribe from the electronic mailing list, then your email address will be automatically (and permanently) deleted, and we will then have no record that you were ever on that mailing list. If we ever stop running the mailing list, then all data will be deleted.
The Postal Mailing List
You can sign up to the postal mailing list by completing a form which is available at our concerts. That form becomes our record of consent, and we will hold it (securely) for as long as you remain subscribed.
We will never sell or pass on your name and postal address to anyone else. We will never send or forward mail from other organisations to you via this postal list.
If you decide to unsubscribe, or if we ever stop running the postal mailing list, then the form and any other records of your name and address will be destroyed.
If you no longer wish to receive the postal newsletter, please tick the appropriate box at the foot of the newsletter, and send it to the address printed on the newsletter.
Things that we don't do
We don't collect personal data from visitors who just browse this website (unless you choose to subscribe to our electronic newsletter), and we don't store cookies on your computer.
We sometimes receive emails saying something like: "We are running a music course in a lovely house in the country. Please send the enclosed leaflet to all your members." Well, we can't, and we won't. Our players have not given their consent to receive other people's marketing information, and so forwarding such emails would be a breach of the GDPR. Likewise, we won't forward any such emails to our mailing list subscribers.
We sometimes receive emails saying something like: "We are putting on a concert and we don't have enough string players - can you please ask all your members if they would be interested in playing?" This seems to be a grey area; however, our members have not given their consent to receive other people's emails via us, so I don't think we can do that either.
Things that our volunteer helpers have to do