Privacy Policy
1. Background
This policy outlines Festivals (Tinderbox, Northside, Forever, Fyrfest, DTD Concerts, DTD Rental, DTD Projects) called DTD GROUP’s approach to complying with the applicable data protection legislation. The management of DTD Group, registered at Studsgade 35B, 8000 Aarhus C, are committed to complying with all relevant UK and EU laws in respect of personal data and the protection of the ‘rights and freedoms’ of individuals whose information they collect and process.
1.2 POLICY OWNER
This policy applies to all data processed by all Companies within DTD Group, and it is owned by the nominated Privacy Lead.
1.3 POLICY AUDIENCE
This policy applies to all employees and third parties who are involved in the processing of personal data in the course of their duties. The policy may be shared with third parties so that they will understand what they are expected to do to support DTD Group in fulfilling their data protection obligations.
Any third party working with or on behalf of DTD Group, that have, or might have, access to personal data will be expected to have read, understood and to comply with this policy or be committed to an equivalent approach to regulatory compliance.
1.4 EFFECTIVE DATE
This policy is effective from 2024 may 5th. All activities conducted by DTD-Group should comply from this date.
This policy will be reviewed on a regular basis and in any event not later than every 12 months from the effective date.
1.5 POLICY GOVERNANCE
1.5.1 DISPENSATIONS
If a business area cannot comply with one or more of the requirements set out in this policy, a formal request for a dispensation must be submitted to the Privacy Lead for approval with suggested mitigatory actions.
The Privacy Lead must maintain a register of dispensations and a privacy risk register. Any dispensations must be reviewed and updated annually.
1.5.2 POLICY NON-COMPLIANCE
Non-compliance with this policy, where an approved dispensation is not in place, must be reported to the Privacy Lead.
Any employee not complying with this policy may be subject to disciplinary action.
2. Statements
2.1 DATA PROTECTION PRINCIPLES
All processing of personal data must be conducted in accordance with the Data Protection Act 2018 and the GDPR. DTD Group policies and procedures will ensure compliance with the following principles:
• Personal data must be processed lawfully, fairly and in a transparent manner.
• Personal data can only be collected for specific, explicit and legitimate purposes.
• Personal data must be adequate, relevant and limited to what is necessary for processing.
• Personal data must be accurate and kept up to date with every effort to erase or rectify without delay.
• Personal data must be kept in a form such that the data subject can be identified only as long as it is necessary for processing.
• Personal data must be processed in a secure manner.
DTD Group must be able to demonstrate compliance with the above points.
Any further queries or clarifications should be directed to the Privacy Lead.
2.2 PRIVACY NOTICE
DTD GROUP is committed to the protection of customers’ privacy. The DTD Group’s Privacy Notice describes how customers’ personal data is collected, used, disclosed, retained and protected.
We will share your data with Superstruct Digital Services B.V., an entity in our group, and with third party technology providers including Braze and Looker, who each provide services to us in connection with storing your data and communications in relation to your booking and the festival. This sharing will take place in accordance with data sharing agreements.
The specific information provided to the data subject includes:
• the identity and the contact details of the controller and, if any, of the controller’s representative;
• the contact details of the Privacy Lead
• the purposes of the data processing as well as the legal basis for the processing;
• the retention period;
• the existence of the rights to request access, rectification, erasure or to object to the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients of the personal data;
• transfers of personal data to a recipient in a third country and the level of protection afforded to the data;
• any further information necessary to guarantee secure and fair processing.
Privacy notices will be regularly reviewed and updated in line with changes across the business.
3. Roles and responsibilities
DTD Group is the controller when managing personal data that relates to employees, internal operations and customers.
The Privacy Lead is responsible for overseeing compliance with the DPA and GDPR and other relevant laws.
4. Managing personal data
4.1 GENERAL
It is the responsibility of all members of DTD Group to ensure that the business areas in which they operate work to this policy and related documents, can evidence compliance, ensure that they are fully aware of their roles and responsibilities and report promptly incidents or violations contrary to this Policy.
4.2 EMPLOYEES DATA
4.2.1 BASIS FOR PROCESSING
Personal data on employees is processed under their contract of employment.
4.2.2 PRINCIPLES FOR PROCESSING
• All employees will work proactively with DTD Group to ensure their personal data is maintained accurately;
• All staff members that handle employee data will be signed up for confidentiality;
• Employee data will not be shared with customers unless specifically stated in the contract;
• All employees have the right to raise a data subject request;
• Any employee who is dissatisfied with the way their personal data has been handled by DTD Group may raise a complaint via their line manager;
• All employees have the right to lodge a complaint with their local data protection authority – the ICO in the UK, the Irish Data Commissioner in Ireland and national authorities in EU Member States.
4.3 CUSTOMER DATA
4.3.1 BASIS FOR PROCESSING
As outlined in the Privacy Notice, personal data processed on behalf of a customer will be conducted under:
– Contract
– Legitimate interest (Please conduct Legitimate Interest Assessment provided to decide whether appliable for each processing)
– Consent
– Legal obligation
– If we need to perform a public task or under vital interest of data subjects
Where consent is the legal basis for processing it must have been explicitly and freely given, by statement or by a clear affirmative action. This will signify agreement to the processing of personal data relating to that individual. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.
Where consent has been obtained, as a general rule it should be refreshed every 2 years and can be withdrawn at any time by contacting It department at data@dtdgroup.dk If refreshed after a longer period, it must nevertheless be refreshed regularly (particularly if there is a change of processing activity).
All processing conducted on behalf of customers will be in line with this policy and in accordance with all applicable laws.
4.4 BASIS FOR PHOTOS OR VIDEOS AT THE FESTIVAL SITE
At the festival site, photographers move around capturing moments for Tinderbox through video and images, which are used for marketing purposes. If you are the focus of any of these recordings, we always ask for your permission before using the material for commercial purposes. There may also be situations where you appear in photos or videos alongside other festival-goers, and in these cases, it can be difficult to obtain consent from everyone. If there is a picture or recording of you that you do not want used for marketing, you are welcome to request its removal at any time. Please contact us at info@tinderbox.dk if you have any questions.
5. Data subject rights
Under Data Protection laws, data subjects are entitled to exercise the following rights:
• to request access to and/or a copy of your personal information;
• to ask us to modify your personal information if you think is inaccurate or incomplete;
• to request the deletion of the personal information we hold about you;
• to ask us to limit the processing of your personal information;
• to request that your personal information is provided to you in a machine-readable format and directly transmitted to another controller if the processing is based on consent or contract;
• to object to the processing of your personal information if it is based on legitimate or public interest;
• not to be subject to decisions based only on automated processing.
Data subjects can exercise their rights and withdraw their consent by contacting the DTD Group.
DTD Group will ensure that data subjects may exercise these rights, by also establishing procedures to support the enforcement of these rights. These procedures describe how DTD Group will ensure that its response to the data subject request complies with the requirements of GDPR.
Data subjects have the right to complain in relation to the processing of their personal data, the handling of a request or how complaints have been handled in line with the complaints procedure, by contacting DTD Group.
For further details, please refer to Data Subject Access Request Procedure.
6. Personal data security
All Employees are responsible for ensuring that any personal data that DTD Group holds and for which it is responsible, is kept securely. All personal data will be held in accordance with the DTD Group’s Information Security Policy.
Personal data will not be disclosed to a third party unless that third party has been specifically authorised to receive the information and has entered into a signed agreement with DTD Group that incorporates both confidentiality and the approval to process such data.
All personal data should be accessible only to those who need to use it, and access may only be granted in line with their role in the business. All personal data should be treated securely and must be kept:
• in a lockable room with controlled access.
• in a locked drawer or filing cabinet.
• if computerised, password protected in line with the information security policy.
• stored on (removable) computer media which are encrypted.
Manual records that include personal data should only be removed from business premises if strictly necessary to do so.As soon as personal data records are no longer required for operational purposes, they must be removed for secure archiving in line with the related procedures.
Appropriate security measures must be applied to all personal data that is held either manually or in computerised systems. Details are outlined in the Information Security Policy.
6.1 PERSONAL DATA INCIDENTS AND BREACHES
All incidents that involve the unauthorised disclosure, collection, processing, transmission, or deletion of personal data will be reported in accordance with the Data Breach Management Procedure.
All processors are required to report personal data incidents or breaches to DTD Group without undue delay.
6.2 DATA PROTECTION IMPACT ASSESSMENT (DPIA)
A data protection impact assessment (DPIA) will be conducted whenever a new service involving personal data is being developed or new technologies are being considered. For further details, please refer to Data Protection Impact Assessment Procedure and Screening Questionnaire.
6.3 RECORDS RETENTION, DISPOSAL AND DATA ACCURACY
Data may be stored only for as long as necessary to fulfil the purpose for which the data was collected. Data may be deleted or disposed of after the expiration of the retention period in line with the disposal procedures “GDPR pr. Afdeling” of DTD Group.
For further details, please refer to DTD Group Retention and Disposal Procedure.
7. Third parties
Any third-party business service providers working with or for DTD Group that have, or might have, access to personal data will be expected to have read, understood, and comply with this policy. All third-party business service providers working with or for DTD Group will be registered to Third Party. Register by the DTD Group’s Privacy Lead.
All third-party processors must have a contract in place, with suitable data protection clauses, before the processing of personal data commences, in compliance with the relevant requirements.
No third party may access personal data held by DTD Group without first having entered a contract or, in the absence of a contract, a data processing agreement. This will impose obligations on the third party no less onerous than those which DTD Group is committed to.
Any sub-processors appointed by the third party must be approved, in writing, by the relevant controller before the processing commences.
8. Data transfers
All exports of data from within the European Economic Area (EEA) to third countries, outside the EEA, must have an adequate level of protection in place.
Whenever a third-party processor intends to or is processing data in a third country, the Privacy Lead must be informed without delay.
9. Disclosure of personal data
DTD Group must ensure that personal data is not disclosed to unauthorised third parties. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party. It is important to consider whether disclosure of the information is relevant to, and necessary for, the conduct of the business.
Any requests to share personal data with third parties, out of the course of normal business operations, should be referred to the Privacy Lead.
All requests to provide data to third parties must be supported by appropriate documentation.
10. annex – Definitions
Establishment – the main establishment of the controller in the EU will be the place in which the controller makes the main decisions as to the purpose and means of its data processing activities.
The main establishment of a processor in the EU will be its administrative centre. If a controller is based outside the EU, it will have to appoint a representative in the jurisdiction in which the controller operates to act on behalf of the controller and deal with supervisory authorities.
Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data subject – any living individual who is the subject of personal data held by an organisation.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.
Data subject consent – means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Child – the GDPR defines a child as anyone under the age of 16 years old, although this may be lowered to 13 by Member State law. The processing of personal data of a child is only lawful if parental or custodian consent has been obtained. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Filing system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Third Country – any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data that is outside of the EEA. Transfers of personal data to “third countries” (i.e. outside of the EEA) is restricted under the GDPR.
11. Contact information
11.1 f you have any questions regarding our policy, please contact us at the following information:
(a) Tinderbox Entertainment ApS, Studsgade 35B, 8000 Aarhus C, CVR: 36 06 98 48
(b) Phone: +45 7020 2622
(c) E-mail: data@dtdgroup.dk
Last updated on 30.09.2024