Dated 6 July 2022 




A registered charity in England & Wales (number 1151584)

ICO number ZB149548

Teatro Vivo Limited (“Teatro Vivo”) is a theatre company and a charity. We may collect and retain personal data in order to:

  • Produce theatre;
  • Provide theatre based services;
  • Provide workshops for actors and members of the public;
  • Meet our charitable objectives;
  • Provide references or feedback;
  • Enforce a contract;
  • Comply with our accounting and legal obligations;
  • Take or defend proceedings.

This document sets out our procedures for the collection, storage, use and sharing of personal data and data for electronic business to business communications, in line with the Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronic Communications Regulations (“PECR”).

Responsibility for data protection

Teatro Vivo does not need a designated Data Protection Officer under the UK GDPR. The Board has overall responsibility for the protection of personal data held by Teatro Vivo. The Board has delegated this responsibility to the Artistic Directors.


Data Protection legislation is concerned with the use of personal data, held on electronic systems, in paper filing and online identifiers such as location data and cookies.

“Personal data” is defined by the Information Commissioners Office (the “ICO”) as data that relates to a living individual who can be identified:

  • from that data, or
  • from that data and other information in the possession of (or likely to come into the possession of) the data controller e.g: expressions of opinion about an individual.
  • from codified records that do not identify individuals by name but, for example, bear unique reference numbers that can be used to identify the individuals concerned.

“Special category data” means information that could be used in a discriminatory way, so needs to be treated with greater care than other personal data, i.e: information about:

  • race or ethnic origin
  • political opinions,
  • religious beliefs or other beliefs of a similar nature,
  • trade union membership
  • physical or mental health or condition,
  • sexual life,
  • commission or alleged commission by the data subject of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.

“Data subject” means anyone whose data is processed.

“Data controller” means the organisation which decides how personal data is or will be, processed.

“Data processor” means any person (other than an employee of the data controller) who processes the data on behalf of the data controller, e.g: external payroll service providers.

The legal basis for collecting and processing your personal data

In line with the UK GDPR, we will ensure that when we collect and process personal data we have a lawful basis for doing so. We rely on the following legal bases:

  • You have given consent to the processing of your personal data;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation;
  • Processing is necessary in Teatro Vivo Ltd’s legitimate interests.

Where consent is concerned, that consent must be:

  • Specific to the purpose for which we are using the data;
  • Unambiguous;
  • Active, not implied. Silence is not consent; pre-ticked boxes, inactivity, failure to opt-out or passive acquiescence will not constitute valid consent;
  • Freely given. Consent will not be valid if the data subject does not have a genuine and free choice or cannot refuse or withdraw consent without detriment, although there will be some situations (for instance if you wish to be engaged as an actor by us, where your personal data has to be provided, to enable us to do so).

Ways in which we may ask for consent include:

  • Written consent;
  • Ticking a box on a web page;
  • Choosing technical settings in an app;
  • Verbal consent (which is then recorded in writing);
  • Any other statement/conduct that clearly indicates (in this context) the data subject’s acceptance of the proposed processing of personal data e.g: cookie acceptance.

You are entitled to withdraw your consent.

How do we deal with data?

We collect and process personal data in line with the principles set out in the UK GDPR. We will:

  • Observe the conditions regarding the fair collection and use of information;
  • Meet our legal obligations to specify the purposes for which information is used;
  • Collect and process appropriate information, but only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements;
  • Take reasonable steps to ensure the quality and accuracy of information used;
  • Ensure appropriate retention and disposal of information;
  • Ensure that the rights of people about whom information is held can be fully exercised under the UK GDPR. These include:
    • The right to be informed;
    • The right of access;
    • The right to rectification;
    • The right to erase;
    • The right to restrict processing;
    • The right to data portability;
    • The right to object; and
    • Rights in relation to automated decision-making and profiling.
  • Take appropriate technical and organisational security measures to safeguard personal information;
  • Ensure that personal information is not transferred outside the EEA without suitable safeguards;
  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information;
  • Set out clear procedures for responding to requests for information;
  • Take appropriate steps to complete due diligence and enter into contractual arrangements with data processors and controllers where personal data is shared;
  • Ensure all regulatory requirements are satisfied when processing special category data and criminal information.

We collect and process the following data:

  • Audience members: names, email addresses and postcodes.
  • Subscribers to our mailing list: names and email addresses.
  • Volunteers: names and contact details.
  • Workshop participants: names, contact details and any other personal data provided by the contractor to us in any CV.
  • People who give testimonials about our work: names.
  • Contractors (which includes actors and other creatives): names, contact details, bank details and any other personal data provided by the contractor to us in any CV, application or covering letter or provided verbally by the contractor during the application process or during an appraisal of which a written note was made.
  • Suppliers: names, contact details and bank details.
  • Employees: names, contact details, bank details and any other personal data provided by the employee to us in any CV, application or covering letter or provided verbally by the employee during the application process or during an appraisal of which a written note was made.
  • Board members: names, dates of birth and contact details.
  • Unsuccessful applicants for positions as volunteers, contractors, workshop participants, employees or Board members: names, contact details, bank details and any other personal data provided by the contractor to us in any CV, application or covering letter or provided verbally by the contractor during the application process or during an appraisal of which a written note was made.
  • Complainants: names, contact details and any personal data provided by the complainant as part of their complaint.
  • Victims of accidents: names, contact details and information about any damage suffered.

We may also obtain names and contact details from parties, such as venues

That data may be stored in any of the following:

  • Computer database;
  • Hard copy;
  • Email system.

The data may be processed by:

  • The Artistic Directors;
  • Other employees;
  • Board members;

Sharing your data

We may share your data with data processors engaged by us to process your data (such as Teatro Vivo’s Artistic Directors), HMRC or other regulatory authorities, with venues if they are responsible for the box office (although the only data which will be shared in this instance is your name) or payment processers such as Worldpay.

Retention periods

We will keep personal data for the following periods, unless we are asked by the data subject to delete their data at an earlier date in line with the right to be forgotten (save that the data may be retained if required by law, until any transaction between Teatro Vivo and the data subject for which the data is required has been completed, until any legal proceedings made by or against Teatro Vivo in relation to the data subject have been fully and finally concluded or where one of the other exceptions in the UK GDPR applies):

  • Audience members (who do not subscribe to our mailing list): until the end of the run of the show that they attended.
  • Subscribers to our mailing list: until such time as they request to be removed (as to which, see the section on marketing below).
  • Volunteers: six years.
  • Workshop participants: six years.
  • Contractors:
    • for actors and creatives who consent to have their details retained on our database, until such time as they ask to be removed;
    • for all other contracts, seven
  • Suppliers: seven
  • Employees: seven years after employment ceases.
  • 4 members: permanently.
  • Unsuccessful applicants: one year.
  • Complainants: six years.
  • Victims of accidents:
    • 3 years from the date of the last entry or, if the accident involves a minor, three years from the date of their 18th birthday; or
    • if an insurance claim by Teatro Vivo is still ongoing at that date, until that claim has been fully and finally settled.

Data security

We will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

  • Storage of paper files containing personal data in locked cupboards (with restricted access to keys);
  • Password protection on all electronic files containing personal data;
  • Encryption on all laptops or PCs containing or having access to personal data.

We will ensure all personal data is non-recoverable from any computer system we use or dispose of.


In the event of a data protection breach, which is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”, we will undertake the following steps:

  • Instigate necessary investigation.
  • Where it is determined that the breach has met with the required threshold and is likely to result in a risk to the rights and freedoms of the data subjects involved, report the breach to the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.
  • Where it is assessed that the data subjects should be informed of the data breach, take the relevant steps to advise the affected parties.


A copy of this policy and the ICO guidelines will be provided to any person who will be processing personal data held by Teatro Vivo, as well as information about password protection, encryption and the importance of keeping files locked and keys safe


In line with PECR, we will not contact individuals for direct marketing purposes by email, the internet, phone, fax or any new electronic systems that may be introduced without prior consent. (Note that this does not include business to business communications to generic addresses).

We provide opt-out opportunities in every mailing to ensure compliance with the principle that data held should be accurate and up to date.

All our mailings make it clear who the sender is, so the recipient’s ability to opt out is viable.

Our website makes it clear we use cookies to collect details of visitors to our website and gives them an opportunity to refuse their operation.

Your rights

Under the UK GDPR, you have a number of rights that you can exercise in certain circumstances. These are free of charge. In summary, you may have the right to:

  • Ask for access to your personal information and other supplementary information (as to which, see the section on subject access requests below);
  • Ask for correction of mistakes in your data or to complete missing information we hold about you;
  • Ask for your personal information to be erased, in certain circumstances;
  • Receive a copy of the personal information you have provided to us or have this information sent to a third party. This will be provided to you or the third party in a structured, commonly used and machine readable format, e.g. a Word file (save where the data provided to us has been provided in a different format and that is the only format in which we hold it);
  • Object at any time to processing of your personal information for direct marketing;
  • Object in certain other situations to the continued processing of your personal information;
  • Restrict our processing of your personal information in certain circumstances;
  • Request not to be the subject to automated decision-making which produces legal effects that concern you or affects you in a significant way.

Data subject access requests

All individuals who are the subject of personal data held by Teatro Vivo are entitled to: 

  • Ask what information we hold about them and why;
  • Ask how to gain access to it;
  • Be informed how to keep it up to date; and
  • Be informed as to how we are meeting our data protection obligations.

If an individual contacts Teatro Vivo requesting this information, this is called a subject access request. 

We will take reasonable steps to ensure that any request is dealt with promptly within the statutory time limits. Upon being made aware of a subject access request we will:

  1. Clarify that it is a subject access request. If there is any doubt about whether the request is a subject access request, we will treat it a such until it we are satisfied that it is not.
  2. Request information to verify the identity of the individual before sharing any information, by way of a passport, drivers licence or birth certificate.
  3. Check all electronic records and hard copy records contained in any structured filing system.
  4. Consider if this data has been shared with any other parties or if they have processed data on Teatro Vivo’s behalf. It may be necessary to seek a copy of all the relevant data from them also.
  5. Review all the relevant data, check to ensure no third-party data is included and consider whether any redaction is required or whether we require the third party’s consent to share it.
  6. Check if there are any exemptions contained within the UK GDPR and the Data Protection Act 2018 which prevent or exempt Teatro Vivo from sharing this information with the data subject.
  7. Consider if we need to request an extension of time to properly fulfil the request. If so, the extension sought will be for no longer than two months, will be sought within one of the original request and specific reasons will be given setting out the need for the extension.
  8. Consider if the request may be vexatious, too time consuming or too costly to comply with as defined by the legislation or the ICO.
  9. Subject to the foregoing, complete and provide a copy of all information to the data subject in a secure format within one calendar month of the receipt of the request.

Any person wishing to make a subject access request should apply in writing to the Artistic Directors at [email protected], giving their full name and contact details and setting out what data they require.


Complaints relating to breaches of the UK GDPR and/or complaints that an individual’s personal data is not being processed in line with the data protection principles should be referred to the Artistic Directors at [email protected].

The UK GDPR also gives you the right to lodge a complaint with the Information Commissioners’ Office if you are in the UK, or with the supervisory authority of the Member State where you work, normally live or where the alleged infringement of data protection laws occurred. The Information Commissioner’s Office can be contacted at


The Policy will be reviewed by Teatro Vivo’s Board every 3 years, or earlier if there are changes to legislation and/or to our use of data.



Appendix A: The principles of good data protection practice

  • Personal data shall be processed fairly and lawfully
  • Personal data shall be obtained only for specified, lawful purposes and shall not be further processed in any manner incompatible with such purpose(s).
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose(s) shall not be kept for longer than is necessary.
  • Personal data shall be processed in accordance with the rights of data subjects under the DPA.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction of or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.